Movatterモバイル変換

[0]ホーム
URL:

US10129282B2 - Anomalous network monitoring, user behavior detection and database system - Google Patents

Anomalous network monitoring, user behavior detection and database systemDownload PDF

Info

Publication number
US10129282B2
US10129282B2US15/395,483US201615395483AUS10129282B2US 10129282 B2US10129282 B2US 10129282B2US 201615395483 AUS201615395483 AUS 201615395483AUS 10129282 B2US10129282 B2US 10129282B2
Authority
US
United States
Prior art keywords
user
user account
information
accounts
account
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
US15/395,483
Other versions
US20170111381A1 (en
Inventor
Samuel Jones
Timothy Yousaf
Drew Dennison
Vivek Lakshmanan
Joseph Staehle
Samuel Kremin
Maxim Kesin
Taylor Heroux
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Palantir Technologies Inc
Original Assignee
Palantir Technologies Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Palantir Technologies IncfiledCriticalPalantir Technologies Inc
Priority to US15/395,483priorityCriticalpatent/US10129282B2/en
Publication of US20170111381A1publicationCriticalpatent/US20170111381A1/en
Priority to US16/186,801prioritypatent/US11470102B2/en
Application grantedgrantedCritical
Publication of US10129282B2publicationCriticalpatent/US10129282B2/en
Assigned to MORGAN STANLEY SENIOR FUNDING, INC., AS ADMINISTRATIVE AGENTreassignmentMORGAN STANLEY SENIOR FUNDING, INC., AS ADMINISTRATIVE AGENTSECURITY INTEREST (SEE DOCUMENT FOR DETAILS).Assignors: Palantir Technologies Inc.
Assigned to ROYAL BANK OF CANADA, AS ADMINISTRATIVE AGENTreassignmentROYAL BANK OF CANADA, AS ADMINISTRATIVE AGENTSECURITY INTEREST (SEE DOCUMENT FOR DETAILS).Assignors: Palantir Technologies Inc.
Assigned to MORGAN STANLEY SENIOR FUNDING, INC.reassignmentMORGAN STANLEY SENIOR FUNDING, INC.SECURITY INTEREST (SEE DOCUMENT FOR DETAILS).Assignors: Palantir Technologies Inc.
Assigned to Palantir Technologies Inc.reassignmentPalantir Technologies Inc.RELEASE BY SECURED PARTY (SEE DOCUMENT FOR DETAILS).Assignors: ROYAL BANK OF CANADA
Assigned to Palantir Technologies Inc.reassignmentPalantir Technologies Inc.CORRECTIVE ASSIGNMENT TO CORRECT THE ERRONEOUSLY LISTED PATENT BY REMOVING APPLICATION NO. 16/832267 FROM THE RELEASE OF SECURITY INTEREST PREVIOUSLY RECORDED ON REEL 052856 FRAME 0382. ASSIGNOR(S) HEREBY CONFIRMS THE RELEASE OF SECURITY INTEREST.Assignors: ROYAL BANK OF CANADA
Assigned to WELLS FARGO BANK, N.A.reassignmentWELLS FARGO BANK, N.A.ASSIGNMENT OF INTELLECTUAL PROPERTY SECURITY AGREEMENTSAssignors: MORGAN STANLEY SENIOR FUNDING, INC.
Assigned to WELLS FARGO BANK, N.A.reassignmentWELLS FARGO BANK, N.A.SECURITY INTEREST (SEE DOCUMENT FOR DETAILS).Assignors: Palantir Technologies Inc.
Assigned to Palantir Technologies Inc.reassignmentPalantir Technologies Inc.ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS).Assignors: STAEHLE, JOSEPH, KREMIN, SAMUEL, HEROUX, TAYLOR, DENNISON, DREW, JONES, SAMUEL, KESIN, MAXIM, LAKSHMANAN, VIVEK, YOUSAF, TIMOTHY
Activelegal-statusCriticalCurrent
Anticipated expirationlegal-statusCritical

Links

Images

Classifications

Definitions

Landscapes

Abstract

Methods, systems, and apparatus, including computer programs encoded on computer storage media, for network monitoring, user account compromise determination, and user behavior database system. The system monitors network actions of user accounts including user account access across multitudes of network accessible systems, determines user account transitions, and determines different types of high-risk user behavior indicative of compromise. Network actions can be obtained from generated information by the network accessible systems, and correlated across additional data sets including contextual ones. User interfaces are generated describing network actions of user accounts, and are configured for user interaction, which cause generation of updated user interfaces and access to electronic data sources to determine information relevant to the user interaction.

Description

RELATED APPLICATIONS
The present disclosure is a continuation of, and claims priority to, U.S. patent application Ser. No. 14/982,699. The present disclosure further references various features of, and claims priority to, U.S. Provisional Pat. App. No. 62/207,272. The entire disclosure of these applications are hereby made part of this specification as if set forth fully herein and incorporated by reference for all purposes, for all that it contains. Any and all applications for which a foreign or domestic priority claim is identified in the Application Data Sheet as filed with the present application are hereby incorporated by reference in their entirety under 37 CFR 1.57.
BACKGROUND
Large businesses (e.g., national or international corporations) often rely on networked computer systems to transfer and relay information between employees, and between employees and customers. This information, in many cases, can be sensitive and include personal information regarding employees or consumers (e.g., credit card information, addresses, and so on). To protect this sensitive information (e.g., from a malicious actor), businesses can provide access to the sensitive information solely to specific employees that have a business purpose which necessitates access. Additionally, businesses can encrypt the information, include network security hardware such as firewalls, and limit locations the sensitive information is stored.
SUMMARY
Modern day networks used by a business can include tens, or even hundreds, of thousands of user accounts, each accessing an untold number of laptops, servers, domain controllers, from disparate locations all around the world. This degree of complication creates a growing technical problem regarding maintaining the sanctity of private information stored by the business. Without a system to monitor network interactions across huge amounts of network accessible systems, and determine whether user accounts are behaving suspiciously, such a technically complicated network is open by a malicious actor to gain access to user accounts.
Networks can utilize private user account log-in information, and designate only particular user accounts as having access rights to important network accessible systems. However, this technical solution fails once a malicious actor gains log-in information to a user account. In this case, the malicious actor is free to access network accessible systems, and obtain sensitive information. Therefore, to overcome this technical problem, techniques described in this specification can determine whether specific network actions taken by user accounts indicate that the user account is compromised, allowing deep insights into the nature and behavior of user accounts, providing an extra layer of network security. Indeed, techniques described in this specification can detect high-risk behavior that looks like (e.g., appears to be analogous or similar to) behavior that would be utilized by an attacker, allowing a reviewing user to identify attackers through the high-risk behavior that might be exhibited. In this way, high-risk behavior can be identified and stopped (e.g., through network policies or technical actions), lowering the risk surface of the network and making it harder for an attacker to compromise the network.
Particular embodiments of the subject matter described in this specification can be implemented so as to realize one or more of the following advantages. A system can quickly identify user accounts that are potentially compromised for review by a user (e.g., a system administrator, a security officer, and so on.) The system can flag user accounts by determining whether actions the user accounts have taken on a network are indicative of the user accounts being compromised. The reviewing user can view information (e.g., on a user device) describing the flagged user accounts and specific actions each user account has taken, and determine whether any of the user accounts are compromised. In this way, the reviewing user can have insights into networks that include a large number of user accounts (10,000+; 100,000+ user accounts), by visually examining information describing user accounts determined by the system to need reviewing. Thus, the system can guard against a malicious actor obtaining access to a user account (e.g., a privileged user account) and obtaining sensitive information, or otherwise harming the network.
It has been noted that design of computer user interfaces “that are useable and easily learned by humans is a non-trivial problem for software developers.” (Dillon, A. (2003) User Interface Design. MacMillan Encyclopedia of Cognitive Science, Vol. 4, London: MacMillan, 453-458.) The present disclosure describes various embodiments of interactive and dynamic user interfaces that are the result of significant development. This non-trivial development has resulted in the user interfaces described herein which may provide significant cognitive and ergonomic efficiencies and advantages over previous systems. The interactive and dynamic user interfaces include improved human-computer interactions that may provide reduced mental workloads, improved decision-making, reduced work stress, and/or the like, for a user. For example, user interaction with the interactive user interface via the inputs described herein may provide an optimized display of, and interaction with, graph data, image data, and/or other data, and may enable a user to more quickly and accurately access, navigate, assess, and digest the data than previous systems.
Further, the interactive and dynamic user interfaces described herein are enabled by innovations in efficient interactions between the user interfaces and underlying systems and components. For example, disclosed herein are improved methods of receiving user inputs (including methods of interacting with, and selecting, images, graphs, and other types of data), translation and delivery of those inputs to various system components, automatic and dynamic execution of complex processes in response to the input delivery, automatic interaction among various components and processes of the system, and automatic and dynamic updating of the user interfaces (to, for example, display the relevant data from various different applications and/or data sources). The interactions and presentation of data via the interactive user interfaces described herein may accordingly provide cognitive and ergonomic efficiencies and advantages over previous systems.
Various embodiments of the present disclosure provide improvements to various technologies and technological fields. For example, existing data aggregation and analysis technology is limited in various ways (e.g., limited in the types of applications or data sources the data may be drawn from, loss of data interactivity, etc.), and various embodiments of the disclosure provide significant improvements over such technology. Additionally, various embodiments of the present disclosure are inextricably tied to computer technology. In particular, various embodiments rely on detection of user inputs via graphical user interfaces, aggregation of data from different applications and data sources, and automatic processing, formatting, and display of the aggregated data via interactive graphical user interfaces. Such features and others (e.g., automatically determining an application or data source an inputted link is directed to, accessing the application or data source to retrieve and display the requested data, implementing interactivity of displayed data reflective of how the data would be displayed in its native application) are intimately tied to, and enabled by, computer technology, and would not exist except for computer technology. For example, the interactions with displayed data described below in reference to various embodiments cannot reasonably be performed by humans alone, without the computer technology upon which they are implemented. Further, the implementation of the various embodiments of the present disclosure via computer technology enables many of the advantages described herein, including more efficient interaction with, and presentation of, various types of electronic data.
In general, one innovative aspect of the subject matter described in this specification can be embodied in methods that include the actions of obtaining data describing network actions of a plurality of user accounts associated with one or more networks; determining, using the obtained data, one or more user compromise scores for each of the user accounts, wherein each user compromise score measures a type of user behavior associated with a risk of compromise; determining, using the one or more user compromise scores for each user account, one or more user accounts of the plurality of user accounts to identify for review; and providing, for presentation, information describing the determined user accounts and respective associated user compromise scores.
The details of one or more embodiments of the subject matter of this specification are set forth in the accompanying drawings and the description below. Other features, aspects, and advantages of the subject matter will become apparent from the description, the drawings, and the claims.
BRIEF DESCRIPTION OF THE DRAWINGS
FIG. 1 illustrates an example user interface for user account compromise determination.
FIG. 2 illustrates a block diagram of an example user account compromise risk system.
FIG. 3 is a flowchart of an example process for determining user accounts associated with a risk of compromise.
FIG. 4 is a flowchart of an example process for determining user compromise scores for a user account.
FIG. 5 is a flowchart of an example process for presenting detailed information associated with a user account for review by a user.
FIG. 6 is an example user interface of an investigative history of a user account selected for review.
FIG. 7 illustrates an example user interface identifying user profile data of the selected user account.
FIG. 8 illustrates an example user interface describing remote access information associated with the selected user account.
FIG. 9 illustrates an example user interface provided upon selection of a “Client Hostname” selectable option.
FIG. 10 illustrates an example user interface describing user chaining information associated with user accounts identified for review.
FIG. 11 illustrates an example user interface describing user chaining information associated with a selected user account.
FIG. 12 illustrates an example user interface that includes detailed user chaining information associated with a selected user account.
Like reference numbers and designations in the various drawings indicate like elements.
DETAILED DESCRIPTION
This specification describes a system (e.g., the user account compromise system described below) that can enable a reviewing user (e.g., a system administrator, a security officer) to quickly review user accounts, and network actions, determined by the system to be associated with a risk of being compromised. The system can obtain information describing network actions of user accounts associated with a business, and determine user compromise scores for each user account, with each score associated with a type of user behavior indicative, alone or in combination with other types of user behavior, of the user account being compromised (e.g., controlled by a malicious actor). As will be described below, the user compromise scores prioritize user accounts in need of monitoring, or that need to be examined in more detail, by the reviewing user. For instance, the reviewing user can quickly view the user compromise scores (e.g., the user compromise scores can be automatically presented in descending order) and prioritize user accounts to be examined. In this way, a small team is able to utilize the features described below to monitor thousands, tens of thousands or more, user accounts associated with one or more networks.
To determine each user compromise score, the system can compare user behavior of a user account to information describing average (e.g., a measure of central tendency of) user behavior of other user accounts associated with the business (e.g., a same employee role), which can be determined from one or more models maintained and updated by the system. Additionally, the system can obtain historical information associated with each user account (e.g., past user behavior of the user account), and compare the user behavior of each user account to its historical information. Thus, to determine each user compromise score for a particular user account, the system can utilize (e.g., combine or weight) user behavior of other user accounts (e.g., user accounts associated with a same employee role as the particular user account) and historical information of the particular user account and/or historical information of user accounts associated with a same employee role.
To determine user behavior, the system can obtain information describing network actions of user accounts. In this specification, network actions can include any action that affects a network accessible system, or user account, associated with one or more networks controlled by, or accessible to, the business, including accessing a network accessible system from a particular user device, creating a new user account, executing code on a network accessible system, accessing data on a network accessible system, escalating privileges of one or more user accounts, a user account switching to a different user account (e.g., a privileged account), and so on. The network actions can be obtained, and determined, from virtual private network (VPN) logs, Active Directory (AD) logs, firewall logs, user account access records, system logs including keystrokes pressed, mouse movements, touch inputs received, processes or code executed, user accounts that accessed or disconnected from the system, and so on. For instance, the VPN logs can identify internet protocol (IP) addresses of a connection request to a user account.
The system can determine user accounts to identify (e.g., flag) for review based on the determined user compromise scores. That is, the system can identify user accounts exhibiting one or more types of behavior indicative of the user account being compromised. The system can then provide user interfaces describing the identified user accounts (e.g., prioritized based on respective user compromise scores), which the reviewing user can quickly review and, at his/her discretion, request more detailed information about. In this way, the reviewing user can review a user account and determine whether the user account is compromised (e.g., determine a risk of compromise from the user compromise scores), and upon a positive determination, take appropriate actions to remedy the compromise.
In some implementations, when providing user interfaces to the reviewing user, the system can group user compromise scores according to the type of user behavior they describe (e.g., the system can provide selectable options to the reviewing user to receive user interfaces with grouped user compromise scores, or the reviewing user can select which user compromise scores he/she is interested in).
For instance, as described below inFIG. 1, the example user interface includes user compromise scores that measure user behavior associated with “Remote Access”, which can be user behavior associated with initially accessing user accounts or network accessible systems. As an example, the user behavior can include the specific systems (e.g., user devices) used to access the network(s) and/or user accounts, the specific network accessible systems accessed, geographic locations from which user accounts were accessed, and so on.
In another instance, described below inFIG. 10, the example user interface includes user compromise scores that measure user behavior associated with “User Chaining”, which can be user behavior after accessing user accounts. As an example for a particular user account, user behavior can include tracking the particular user account switching user accounts to a different user account (e.g., a privileged user account with administrator or escalated access privileges to network accessible systems or user accounts), processes (e.g., operating system processes) that the particular user account initiates, or otherwise executes, on network accessible systems, and so on.
FIG. 1 illustrates anexample user interface10 for user account compromise determination. Theuser interface10 is an example of a user interface that can be presented on a user device (e.g., a laptop, a tablet, a computer, a wearable device) executing an application (e.g., a web browser), and can be received from a system (e.g., the user account compromise system100) over a network (e.g., the Internet).
As illustrated inFIG. 1, theuser interface10 includes identifications of user accounts20 that can access one or more network accessible systems of a business, and that are associated with a risk of being compromised (e.g., controlled by a malicious actor). Each user account includes an identification of user compromise scores20, with each score measuring a type of user behavior indicative of the user account being compromised. In some implementations, the user compromise scores can be between a range of numbers (e.g., between zero and one), with a greater score indicating a greater risk of compromise. The user accounts12 are ordered according to arank14 determined from a combination (e.g., a weighted combination) of the user compromise scores20. In some implementations, the rank can be based solely off the “Anomaly Score”, described below with reference toFIG. 4. In this way, user accounts can be prioritized for review (e.g., by a reviewing user such as a system administrator or member of a security team).
As described above, theexample user interface10 includes user compromise scores associated with “Remote Access”1, and includes user compromise scores measuring types of user behavior when user accounts, or network accessible systems, are initially accessed.
For instance, the “Host Score”24 for a particular user account (e.g., “RLP8”) is a measure associated with network accessible systems (e.g., user devices, or other systems, such as computers, laptops, and so on) used by the particular user account to access a network of the business (e.g., access one or more network accessible systems, target hosts, and so on). The “Host Score”24 can be based off a number of network accessible systems an average user account utilizes, and a number of network accessible systems the particular user account normally uses. Furthermore, the “Host Score”24 can be based off types of network accessible systems the particular user account is normally associated with (e.g., laptops, tablets, and so on). In addition to a number of network accessible systems, the “Host Score”24 can be greater if the particular user account has recently used network accessible systems not historically associated with the particular user account.
The “Speed Score”24 for a particular user account measures how likely it is that a single person has used (e.g., provided log-in information associated with the particular user account) the particular user account from disparate locations in a period of time. For instance, if the particular user account was used in a first remote session from a first location (e.g., Austin, Tex.), and a short period of time later (e.g., 15 minutes), accessed from a second location (e.g., San Francisco, Calif.), the “Speed Score”26 can indicate that one user could not travel fast enough between those two locations to effect the two remote sessions. This type of behavior could represent user account compromise or credential sharing (e.g., a person sharing credentials of a user account with another person not associated with the user account).
The “Location Score”26 for a particular user account measures risk and unusualness associated with the locations from which the particular user account was used. For instance, a particular geographic region can be known (e.g., to a system administrator) to be associated with malicious activity. The “Location Score”28 can thus be greater if the particular user account is being accessed from the particular geographic region. Additionally, the “Location Score”28 can be greater if the particular user account is being accessed from geographic regions that the particular user account has not, or rarely, previously been used from.
The “Anomaly Score”22 for a particular account is a combination of the “Host Score”24, “Speed Score”26, and “Location Score”28 (e.g., a weighted sum). In some implementations, the “Anomaly Score”28 is a convolution of the weighted sum taken over time with a user selectable window size. Determining an anomaly score is described below, with reference toFIG. 4.
Theuser interface10 further includes amap16 of the Earth, and countries from which remote sessions (e.g., VPN sessions) to access user accounts have emanated. In some implementations, themap16 can be a heat-map identifying a frequency of the access, and each country in themap16 can be selectable by a user. Upon selection of a country, theuser interface10 can be updated to include user accounts that have been accessed from the selected country. In some implementations, themap16 can be a map of a particular region (e.g., country, city, geographic area, and so on).
A user of theuser interface10 can mark a particular user account according to a “Triage Status”30, which can include an identification of whether the particular user account needs further review, or has already been reviewed (e.g. the user can mark the particular user account according to a color code system such as red or green displayed in the graph38). In this way, a different user can view theuser interface10, and identify a user account to review according to the “Triage Status”30.
Additionally, theuser interface10 includes summary data describing user accounts associated with the business. For instance, the summary data can include a graph identifying a number ofcountries32 that user accounts have been accessed from, a graph identifying a number of network accessible systems or “Hosts”34 that each user account has used to access networks of the business, determined distribution of anomaly scores36, and a graph identifying a number of user accounts for each “Triage Status”38 identified by users of theuser interface10.
Utilizing theuser interface10, a user (e.g., a system administrator) can gain valuable insights into the user accounts associated with the business including network actions and network events associated with user accounts. The user can determine that a particular user account (“RLP8”) is in need of further review, and can select the particular user account to view more detailed information, which is described below with reference toFIGS. 6-12.
FIG. 2 illustrates a block diagram of an example user accountcompromise risk system100. The user account compromise system100 (e.g., a system of one or more computers, or one or more virtual machines executing on a system of one or more computers) can obtain information identifying network actions of user accounts associated with a business, and determine user accounts to identify as potentially being compromised (e.g., by a malicious actor) for review by a user (e.g., by a system administrator, security officer, and so on).
To determine user accounts to identify for review, the user accountcompromise risk system100 includes a compromise determination engine110 that can determine user compromise scores for each user account, with each user compromise score being a measure of a particular type of user behavior that indicates, in part, the user account has been compromised (e.g., the user account is at a relative greater risk for being compromised).
For instance, as will be described below inFIG. 4, the compromise determination engine110 can determine, for a particular user account, a host score (e.g., a score based on the network accessible systems (e.g., user devices) used by a user account to access the network), a speed score (e.g., a score based on a speed a person would have to travel between a first location, and a subsequent location, from which the particular user account was used), a location score (e.g., a score based on the locations from which the particular user account was used), a lateral movement and user chaining score (e.g., a score based on user accounts transitioned to, or accessed by, the particular user account), and an anomaly score (e.g., a score based on summary behavior of the particular user account in comparison to known or historical behavior of the particular user account).
The compromise determination engine110 can obtain information from anetwork interaction database102, which the user accountcompromise risk system100 is in communication with, or in some implementations maintains. Thenetwork interaction database102 stores information obtained from network accessible systems of the business, such as server systems, domain controllers, computers, laptops, checkout systems, point of sale systems, firewalls, virtual private network (VPN) servers, and so on. The information can include logs from each of the network accessible systems, and can include VPN logs, Active Directory logs, system logs, firewall logs, user account access records, and so on.
Thenetwork interaction database102 can include identifications of events included across disparate logs that relate to network actions of each user account. The events can be ordered according to time (e.g., from time stamps included in logs), which provide a temporal history of network actions taken, or initiated, by each user account.
The compromise determination engine110 can determine user compromise scores for a particular user by utilizing information obtained from the network interaction database102 (e.g., data describing user behavior of the particular user account), and one or more models (e.g., machine learning models) describing normal (e.g., expected, measures of central tendency of) user behavior of user accounts with the business (e.g., user accounts associated with a same employee role as the particular user account). As an example, the compromise determination engine110 can monitor user behavior (e.g., user actions, network actions, and so on) and update the normal behavior of each user account (e.g., upon the occurrence of any action, or periodically). In some implementations, the compromise determination engine110 can utilize machine learning models (e.g., k-means clustering) to determine user behavior of user accounts with respect to other user accounts (e.g., cluster user accounts together). The machine learning models can also describe features that are indicative of user accounts being compromised, and can compare the features to user behavior being monitored. In this way, the compromise determination engine110 can determine whether a particular user account's behavior is anomalous, or otherwise is an outlier with respect to determined normal user account behavior (e.g., normal to the particular user accounts behavior or to other user accounts). Additionally, the machine learning models can be updated periodically to maintain accuracy. The user compromise scores can be determined for each event, or in some implementations, the user compromise scores can be determined for a time period which includes multiple events.
For instance, if the particular user account is associated with an employee that is in Human Resources (HR), the user behavior of the particular user account can be compared to user behavior of other user accounts associated with employees in HR, or similar non-technical employee divisions. Similarly, if the particular user account is associated with a system administrator, or an employee engaged in network security, the user behavior of the particular user account can be compared to user behavior of other similar user accounts. In this way, the user compromise scores can be relative to normal user behavior of similar user accounts. In some implementations, the user compromise scores can be relative to normal user behavior of all user accounts associated with the business.
Additionally, the compromise determination engine110 can be in communication with, or in some implementations maintain, a useraccount summary database104 storing historical information regarding user accounts (e.g., thesystem100 can monitor network actions of each user account, and determine summary data to include in the user account summary database104). For instance, a particular user account can be normally used (e.g., accessed) from a particular location (e.g., Bolinas Calif. at the headquarters of the business), but occasionally from a different location (e.g., a foreign country at the home of a family member). If the normal user behavior of user accounts (e.g., determined by models as described above) does not include user account access from the different location, the particular user account can be determined to have a high location score (e.g., a score based on a risk level of locations from which the particular user account is used). However, using the useraccount summary database104, the compromise determination engine110 can determine that the location score should be lower, since the particular user account has historically been accessed from the different location.
Thus, the compromise determination engine110 can determine user compromise scores from user account summary data describing normal (e.g., expected, measures of central tendency of) user behavior and also normal user behavior of other user accounts.
After determining user compromise scores, the useraccount risk system100 can provide identifications of user accounts with associated user compromise scores to apresentation system130. Thepresentation system130 can be a system of one or more computers, or in some implementations can execute on the useraccount compromise system100. Thepresentation system130 is in communication with auser device140 of a reviewing user (e.g., a system administrator, a security officer), and is configured to provideuser interfaces132 for presentation on theuser device140. Theuser interfaces132 can be documents (e.g., web pages), which theuser device140 can receive and provide for presentation (e.g., render in a web browser).
The reviewing user can view the user interfaces132 (e.g., the example user interface described inFIG. 1), and interact with theuser interfaces132 to receive different, or more detailed information, about the identified user accounts. For instance, the reviewing user can provide auser selection142 of a particular user account, and receive detailed information associated with the particular user account including user profile data106 (e.g., information identifying a name of an employee associated with the particular user account, a location in which the employee works, and so on). Examples of user interfaces are described below, with reference toFIGS. 6-12.
FIG. 3 is a flowchart of anexample process300 for determining user accounts associated with a risk of compromise. For convenience, theprocess300 will be described as being performed by a system of one or more computers (e.g., the user account compromise system100).
The system obtains data describing network actions of user accounts associated with a same network (block302). The system obtains network action data from network accessible systems, with the network action data including virtual private network (VPN) logs, Active Directory (AD) logs, firewall logs, user account access records, system logs, and so on.
The system determines user compromise scores for each user account (block304). As described above, each user compromise score measures a type of user behavior indicative of the user account being compromised. As will be described below, with reference toFIG. 4, the system determines user compromise scores for each user account, and can utilize summary data (e.g., historical information describing user behavior) of the user account along with one or more models identifying normal (e.g., expected) user behavior of user accounts (e.g., user accounts associated with employees that have a same or similar employee role). As will be described below, with reference toFIG. 4, the user compromise score for a particular type of user behavior can be normalized between two values (e.g., between zero and one).
The system determines user accounts to identify for review (block306). After determining user compromise scores for each user account, the system determines user accounts that are to be identified for review (e.g., by a system administrator, security officer).
In some implementations, the system can assign a ranking (e.g., an order) to each user account based on the respective user compromise scores. To determine the ranking, the system can determine a weighted combination of user compromise scores, and assign the rankings according to an order of the weighted combination. In some implementations, the weights can be based determined using a machine learning model that identifies weights to identify overall user behavior that is most associated with a user account being compromised. In some other implementations, the weights can be user selected, and can be, as one non-limiting example, 0.7 for the speed score, 0.2 for the location score, and 0.1 for the host score.
Additionally, in some implementations, a single user compromise score can be utilized to determine the ranking of each user account. For instance, as will be described below withFIG. 4, an anomaly user compromise score is determined as a convolution involving weighted combinations of particular user compromise scores (e.g., a location score, a host score, a speed score) and a window function. The anomaly user compromise score can be utilized to assign rankings to the user compromise scores, with a higher anomaly score indicating a higher ranking.
Furthermore, as described above, in some implementations particular user compromise scores can be grouped together and presented on a same user interface. For instance, a “Remote Access” group includes user compromise scores associated with user behavior during initial access of user accounts. The “Remote Access” group can include the location score, host score, and speed score.
When determining user accounts to identify for review, the system can receive information identifying that a reviewing user (e.g., a system administrator) wants to view the “Remote Access” group of user compromise scores, and the system can determine a ranking of user accounts based on the user compromise scores included in the “Remote Access” group. An example of a user interface describing “Remote Access” is described above, with reference toFIG. 1.
Similarly, the system can receive information identifying that the reviewing user wants to view a “User Chaining” group of user compromise scores, and the system can determine a ranking of user accounts based on the user compromise scores included in the “User Chaining” group (e.g., user chaining score and/or lateral movement score). An example of a user interface describing “User Chaining” is described below, with reference toFIG. 10.
In some implementations, alternative to assigning a ranking, the system can identify user accounts for review upon determining that one or more of the user compromise scores are greater than a respective threshold for each user compromise score. For instance, if a user chaining score (e.g., described below with reference toFIG. 4) is greater than a threshold (e.g., greater than zero) for a particular user account, the system can identify the particular user account for review. As an example, if a user chaining score is greater than zero (e.g., a user account transitioned to a different user account), the system can identify the user account for review.
The system provides information describing the determined user accounts and associated user compromise scores for presentation (block308). The system generates user interface data for presentation to a user device of a reviewing user (e.g., a system administrator). In some implementations, the system can generate a document (e.g., a web page) to provide to the user device. In some implementations, the system can provide information describing the determined user accounts and user compromise scores to a presentation system (e.g., as described above inFIG. 2), which is in communication with the user device.
As described above, with reference toFIG. 1, and as will be described below, with reference toFIGS. 6-12, the system can provide different user interfaces for presentation on the user device. For instance, as described above inFIG. 1, the system has provided a user interface describing “Remote Access” (e.g., in response to a request received from the reviewing user). Similarly, the system can provide a user interface describing “User Chaining” (e.g., in response to a request received from the reviewing user), described below with reference toFIG. 10.
The user interface data is configured to include selectable information, and the system can receive a user selection of particular information. The system can then obtain detailed information associated with the user selection, and provide the detailed information for presentation. For instance, the reviewing user can select a particular user account determined for review, and the system can generate user interface data which includes detailed information regarding the selected user account (e.g., as described below with reference toFIGS. 6-9 andFIGS. 10-12).
In this way, the reviewing user can initially view identifications of user accounts, and drill down into the specifics of each user account and the reasons the user account was determined to need reviewing. The reviewing user can pivot on information he/she finds interesting to obtain a holistic view of each user account. As an example, the reviewing user can select a particular user account, and receive detailed information regarding specific network accessible systems the particular user account accessed. The reviewing user can obtain information identifying that an employee associated with the particular user account reported a particular user device lost, or stolen, on a particular date. The reviewing user can then determine whether the particular user account accessed the particular user device after the particular date, and upon a positive determination, determine that the particular user account was compromised.
FIG. 4 is a flowchart of anexample process400 for determining user compromise scores for a user account. For convenience, theprocess400 will be described as being performed by a system of one or more computers (e.g., the user account compromise system100).
As described above, the system determines user compromise scores in any order, and does not need to follow the order of the blocks inprocess400, or determine all of the user compromise scores. Additionally, the system can determine each user compromise score periodically (e.g., after passing of a particular time period) utilizing information describing network actions of user accounts from the periodic time period (e.g., information obtained after the end of a previous periodic time period and before the start of the subsequent period time period). Alternatively, or in addition to, the system can determine each user compromise score after receiving a request from a reviewing user (e.g., a system administrator) for the user compromise scores to be determined. The request can also include an identification of a particular time period, and the system can obtain information describing network actions of user accounts from the particular time period.
As described inFIG. 2, the system can determine events describing temporal network actions of each user account. For instance, a first event could be the user account being accessed through a remote access session. A second event could be the user account transitioning to a different user account, or the user account being accessed again in a different remote access session. In some implementations, the system can determine each of the user compromise scores for each event, and sum the respective user compromise scores through a period of time selected by a reviewing user.
The system determines a speed score for the user account (block402). As described above, the speed score measures how likely it is that a single person has used (e.g., accessed) the user account from disparate locations in a period of time.
To determine the speed score, the system obtains an internet protocol (IP) address associated with the access of the user account, which in some implementations can be obtained from system logs including virtual private network (VPN) logs (e.g., the user account was accessed through a VPN server). The logs can include an identifier of the user account, a timestamp of the access, and an IP address associated with the requesting user device.
The system identifies two subsequent uses of the user account, and obtains the IP address and timestamp of each access. The system then determines a location associated with the IP, which in some implementations can be a region, country, city, latitude, longitude, of the location. The system computes a distance between the locations, and divides the distance by a difference in timestamps. The result of the computation is designated as a speed of travel between the two locations.
In some implementations, the system can access one or more models identifying normal user behavior of user accounts associated with a same business, and determine the speed score by comparing the speed of travel to one or more threshold speeds (50 m/s, 102 m/s, 300 m/s, 400 m/s) identified by the models. The threshold speeds can each be associated with a particular speed score (e.g., the lowest threshold can be associated withscore1, and each successive threshold can add 1), and the system can assign the speed associated with the highest threshold speed that is below the speed of travel. Additionally, the system can obtain information identifying a probability of travel for an employee role associated with the user account (e.g., a sales person might need to travel more often than someone in human resources). The system can modify the speed score based on the obtained probability (e.g., the speed score can be greater by a constant multiplier, 1.1, 1.2, 1.3, if the speed of travel is greater than a threshold and the probability of travel is low).
In some implementations, the system can determine the speed score using summary data of the user account (e.g., historical information). The summary data can identify, for instance, historical speed scores and associated speeds of travel. If the summary data routinely includes high speeds of travel, the system can determine that an employee associated with the user account travels around a lot, and thus the system can assign a lower speed score than a different employee that does not travel (e.g., using a constant multiplier such as 0.9, 0.8, 0.3, or by subtracting a constant from the speed score determined using the model).
In implementations in which the system has summary data and model information identifying normal user behavior, the system can combine the information (e.g., weight respective speed scores determined using the summary data and model information) to determine an overall speed score.
The system determines a host score for the user account (block404). As described above, the host score is a measure associated with the network accessible systems used to access one or more networks and/or other network accessible systems of the networks.
To determine the host score, the system determines a number of network accessible systems used by the user account. As described above, the information can be obtained from logs, including VPN logs, user access logs, and so on.
After determining a number of network accessible systems, the system can access one or more models identifying normal user behavior of user accounts, and obtain one or more threshold values each indicating a number of network accessible systems. The system can compare the number of network accessible systems to the threshold values, and assign a host score based on the comparison. For instance, each threshold value can be associated with a particular host score (e.g., 1, 2, 3), and the system can identify the closest threshold value that is less than the number of network accessible systems the user account accessed. Additionally, the threshold values can be associated with employee roles, and the system can utilize the threshold values associated with a same, or similar, employee role as the user account.
The system can also obtain summary data describing user behavior of the user account (e.g., historical user behavior), and determine whether the determined number of network accessible systems is greater than, or less than, a number of network accessible systems identified in the summary data (e.g., a measure of central tendency of historical numbers of network accessible systems). The system can then assign a host score based on a difference between the summary data and the determined number of network accessible systems (e.g., if the user account is suddenly using a large number of network accessible systems, but normally uses one network accessible system, the system can assign a high host score such as 2, 3, 4).
In implementations in which the system has summary data and model information, the system can combine the information (e.g., weight respective host scores determined using the summary data and model information) to determine an overall host score.
In addition to determining the host score using numbers of network accessible systems utilized by the user account, the system can utilize the summary data to determine whether the user account is using network accessible systems that have not, or rarely, been previously used. The host score can be modified based on the determination (e.g., the host score can be increased by a constant multiplier, or by a constant value, if the user account is using network accessible systems the user account has not previously utilized). Furthermore, in some implementations, the system can obtain information identifying a risk level associated with each network accessible system, and modify the host score based on the risk levels (e.g., apply a constant multiplier or add a constant such as 1, 2). For instance, if the user account is using an insecure network accessible system to generally access one or more networks (e.g., insecure operating system, unpatched software, no password on the system, automatic log-in of the network upon powering of the network accessible system, and so on), the host score can be increased
The system determines a location score for the user account (block406). As described above, the location score measures risk associated with the locations from which the user account was used. The system can obtain information identifying locations from virtual private network (VPN) logs providing access to the user account, or from other user access record or system logs.
The system can determine the location score by comparing the locations from which the user account was used, to one or more models describing normal user behavior of user accounts. If the system determines any deviations from the normal user behavior, the system can increase the location score (e.g., by 1 for each event). The system can access the models and obtain normal locations utilized by persons (e.g. employees) to access their user accounts (e.g., locations from which the persons use their user accounts). A normal location can be identified as a location utilized more than a threshold number of times (e.g., the threshold can depend on a number of employees), or a normal location can be identified as any location that is related to a business purpose of a business (e.g., a location in which an office of the business is located, a location in which contractors are hired, a location in which the business does business, and so on). A normal location can also be identified as any location not associated with malicious activity (e.g., a location from which malicious activity is known, or has been previously seen, to be emanating from). A normal location can also depend on a role of employees associated with user accounts, for instance, employees that generally do not travel for business purposes can have normal locations identified as the locations associated with their workplace (e.g. radii surrounding the workplace).
In some implementations, the system can determine network traffic coming from a virtual private network (VPN) not associated with the business (e.g. an anonymizing VPN). To identify the anonymizing VPN, the system can have information stored identifying IP addresses associated with the VPN. The system can then determine whether network traffic associated with one of the IP addresses is attempting to access (e.g., use) the user account. Upon a positive determination, the system can assign a high score to the location score (e.g., 2, 3, 4).
Additionally, the system can access summary data describing user behavior of the user account (e.g., historical user behavior), and determine whether the locations from which the user account was used have never, or atypically, been included in the summary data. Upon a positive determination, the system can assign a high location score (e.g., 1, 2, 3).
In implementations in which the system has summary data and model information identifying normal user behavior, the system can combine the information (e.g., weight respective location scores determined using the summary data and model information) to determine an overall location score.
The system determines a lateral movement score (block408). The lateral movement score is a measure associated with the behavior in which a user traverses the network. This score is determined based on the types of assets (e.g., network accessible systems) a user logs into, the applications used (e.g., initiated) by the user, the temporal activity of the user and the types of logons performed (e.g. interactive logon, RDP (Remote Desktop Protocol), and so on).
For instance, if the user account transitions to a domain controller (e.g., a network accessible system associated with a high risk level), or other system associated with a high risk level, which the user account has not previously, or rarely, accessed, the lateral movement score can be increased. Furthermore, the system can obtain information describing applications, or other executable code, known to be safe, and increase the lateral movement score upon determining that the user account is initiating applications, or other executable code, not known to be safe. Similarly, the lateral movement score can be increased if the user account initiates applications, or other executable code, known to be malicious.
The system determines a user chaining score (block410). The user chaining score is a measure associated with user behavior after the user account is accessed.
The system can obtain information describing user behavior after accessing (e.g., logging into) the user account from user access records (e.g., records identifying connections to network accessible systems), from VPN logs, and from system records (e.g., records identifying an IP address connection received by the system, a user account accessed, and a subsequent user account or network accessible system accessed; additionally the records can identify processes initiated by a user account, network requests or traffic to other network accessible systems initiated by a user account; and so on). Using the information described above, the system can determine user accounts switched to by the user account, and actions the user account took (e.g., initiating processes associated with executable code, or initiating scripts).
The system can access one or more models identifying normal user behavior of user accounts after the user accounts are accessed. For instance, the models can identify a frequency that user accounts transition to other user accounts, and specifically a frequency in which user accounts transition to user accounts with escalated privileges (e.g., escalated access rights associated with an access control list (ACL)). As an example, a service technician might have a normal user account for performing his/her day to day business, and a special service account with escalated privileges. The system can also obtain information identifying a normal amount of network traffic that a user account might generate (e.g., a malicious actor might execute scripts to obtain large amounts of stored data and provide it over a network to his/her computer). Additionally, the models can identify a number of network accessible systems that a normal user account accesses (e.g., in a period of time). For instance, a malicious attacker might access a large number (e.g., 4, 8, 12) of network accessible systems in a short period of time (e.g., 30 minutes, one hour, 12 hours).
The system can determine a user chaining score based off a comparison of user behavior of the user account to the normal user behavior (e.g., the system can assign a higher user chaining score, such as 1, 2, 3, to each determined deviation from the normal user behavior). Additionally, the system can compare user behavior of the user account to normal user behavior of user accounts associated with a same employee role. For instance, if the user account is associated with a human resources (HR) employee, and the normal user behavior for HR employees does not include transitioning to a privileged user account, the system can assign a higher user chaining score.
The system can also obtain summary data describing normal user behavior of the user account, and determine deviations from the user behavior of the user account. The system can increase the user chaining score (e.g., by a constant or a multiplier) upon determining deviations (e.g., based off a degree of the deviation).
In implementations in which the system has summary data and model information identifying normal user behavior, the system can combine the information (e.g., weight respective user chaining scores determined using the summary data and model information) to determine an overall user chaining score.
The system determines an anomaly score for the user account (block412). As described above, the anomaly score is an aggregate measure of anomalous user behavior, and can be determined as an aggregate measure of multiple user compromise scores (e.g., location score, host score, speed score).
To determine the anomaly score, the system obtains information describing network actions of the user account (e.g., as described above, the system can obtain logs and identify entries or events in the logs associated with network actions of the user account). The system orders each of the network actions according to a time associated with each network action (e.g., a time stamp included in a log).
After ordering the network actions, the system determines a host score, a location score, and a speed score, for each network action. The system can apply a weighting to each user compromise score (e.g., the speed score can be weighted highest such 0.7, 0.6; location score weighted less than the speed score, such as 0.3, 0.2; and the host score weighted least, such as 0.1, 0.2), and determine an overall user compromise score for each network action.
The system computes a convolution of the weighted user compromise scores for each network action with a function that aggregates a particular number of the network actions, with each network action associated with a particular weight (e.g., a window function is applied that decays at the tail ends). In some implementations, the convolution can be of the weighted user compromise scores and a function that aggregates over a particular time period (e.g., time periods can include varying numbers of network actions).
The system assigns the result of the convolution as the anomaly score (e.g., the system can first normalize the computed convolution result). Since the anomaly score is an aggregate of user compromise scores across network actions, the system can utilize the anomaly score as an overall user compromise score which can be used, for example, to rank (e.g., prioritize) user accounts for review.
In some implementations, additional user compromise scores can be determined based on network and/or user actions. For instance, an application score can be determined (e.g., a score based on the types or numbers of applications accessed or initiated by user accounts). The application score, and any additional scores, can be used to determine an anomaly score (e.g., a more robust anomaly score).
Determining an anomaly score is further described in U.S. patent application Ser. No. 14/970,317 entitled “IMPROVED NETWORK ANOMALY DETECTION,” filed on Dec. 15, 2015, which is hereby incorporated by reference in its entirety.
FIG. 5 is a flowchart of anexample process500 for presenting detailed information associated with a user account for review by a user. For convenience, theprocess500 will be described as being performed by a system of one or more computers (e.g., the user account compromise system100).
The system can be in communication with a user device of a reviewing user (e.g., a system administrator, a security officer, a service technician), and the reviewing user can be reviewing information describing user accounts identified by the system for review. For instance, the reviewing user can provide a request to the system for a user interface (e.g., the reviewing user can access a web page), and the system can provide the user interface. As an example, the reviewing user can request theuser interface10 described inFIG. 1, and view information describing “Remote Access” (e.g., user behavior upon initiation of access to user accounts). Alternatively, the reviewing user can receive the user interface described inFIG. 10, and view information describing “User Chaining” (e.g., user behavior after access of user accounts).
The system receives a selection of a user account from the reviewing user (block502). As described above, the reviewing user can be viewing a user interface describing one or more user accounts determined by the system to be reviewed. The reviewing user can select a user account he/she is interested in, and the system can receive information identifying the selected user account.
After receiving the selection, the system obtains information describing the selected user account and associated user compromise scores (block504). As described above, the system stores user profile data associated with each user account, including an employee role associated with the user account, a name associated with the user account, user access rights (e.g., obtained from an access control list, Active Directory information), and so on. Additionally, the system can obtain information associated with user compromise scores for the selected user account. For instance, the system can obtain identifications of locations from which the user account was used, network accessible systems used to access networks associated with the user accounts, user behavior after the selected user account was used (e.g., transitions to other network accessible systems, transitions to other user accounts, escalation of privileges), and so on.
The system generates user interface data describing the obtained information (block506). The system can generate user interface for presentation on the receiving user's user device (e.g., the system can generate a web page including at least a portion of the obtained information).
The system receives information identifying a selection of a portion of the obtained information (block508). The system receives information from the reviewing user to view specific information. For instance, the reviewing user can request information associated with user compromise scores for a particular time period (e.g., locations from which a user account was used in the particular time period). Additionally, the reviewing user can request information associated with specific access rights of the user account, the reviewing user can request information regarding notes or descriptive text input into the system for a present, or previous, time period (e.g., by the reviewing user or a different reviewing user), and so on. Examples of user interfaces are described below, with reference toFIGS. 6-12.
The system updates the user interface in response to receiving information from the reviewing user (block510). In updating the user interface, the system determines information to obtain (e.g., from databases102-106), and can, for example, generate updated user compromise scores, analyze the obtained information to provide graphic representations of complex information relevant to the reviewing user's request, and so on.
For instance, the reviewing user can request detailed information regarding the selected user account's user chaining score. The system can obtain information identifying user accounts that the selected user account transitioned to, and user accounts the transitioned to user accounts transitioned to. After obtaining the above information, the system can update the user interface to include a graphical representation of each transition, which is described below with reference toFIG. 12.
User Interfaces
User interfaces described inFIGS. 6-12 are examples of user interfaces generated by the system, or a presentation system in communication with the system, and presented on a user device. In some implementations, the user interfaces can be presented on the user device as a document (e.g., a web page) in an application (e.g., a web browser).
Each of the user interfaces described below includes user selectable options that upon selection can cause the system to obtain associated information (e.g., from databases102-106), determine updated user compromise scores or other information, and modify, or generate, user interface data. The user interfaces can provide a reviewing user (e.g., a system administrator, a security officer, a service technician) insights into complex networks with large numbers of user accounts by obtaining disparate information from logs spread across network accessible systems, and providing easy to understand summary data of user behavior of each user account.
Each example user interface described below includes a selectable option for the reviewing user to specify a particular time range that interests him/her. Upon receiving a selected time range, the system can access one or more databases (e.g., databases102-106) and determine information associated with the time range to provide to the reviewing user.
FIG. 6 is anexample user interface600 of an investigative history of a user account selected for review. Theuser interface600 can be, for example, provided to a user device after receiving a selection of a user account for review (e.g., as described above inFIG. 5).
Theuser interface600 includes an identification of theuser account602 under review, including an identification of a number ofopen investigations604, and atriage status606 identifying whether the user account needs further review, is determined to be malicious, or is determined not to be malicious.
Theuser interface600 further includes user selectableoptions608 identifying information available for review. The selectable options include “Investigative History”, which is described in the present figure ofFIG. 6; “Active Directory”, which is described inFIG. 7; “Remote Access”, which is described inFIG. 8; and “User Chaining”, which is described inFIG. 12.
Theuser interface600 includesdescriptions610 of prior, or present, investigations. For instance, as illustrated in the example ofFIG. 6, a prior investigation is included, and includes an identification of a time period reviewed, a reviewing user, a present status and judgment, and in some implementations can include details regarding the investigation. In this way, a reviewing user can view prior investigations to see if the prior investigation is pertinent to a current investigation.
FIG. 7 illustrates anexample user interface700 identifying user profile data of the selected user account. Theuser interface700 includes an identification of the selected user account702 (e.g., as described above with reference toFIG. 6), and theuser interface700 is presented after the reviewing user selected the “Active Directory”702 selectable option.
As illustrated in theuser interface700, the “Active Directory”702 selectable option is associated with user profile data of the selected user account (e.g., the system can obtain user profile data from theuser profile database106 and user account summary database104). User profile data includes a name associated with the user account704 (e.g., “Name”), an employee role associated with the user account706 (e.g., “Title: Contractor”), information describing the particular employee role708 (e.g., “Division: 9090”, “Dept.: 753—IT HR SYSTEMS”).Additional information710 is included, including an email address associated with the user account, a manager of the employee, and account information.
Theuser interface700 further includes user access rights information712 (e.g., information obtained from access control lists (ACL) or Active Directory information), and identifies “Group Membership” information for particular groups the user can access.
Utilizing theuser interface700, the reviewing user can quickly identify the scope of user access rights the user account has, and information regarding the employee role to ascertain how sought after of a target the user account is. Additionally, the reviewing user can determine which network accessible systems can be affected (e.g., accessed) by the user account based on the useraccess rights information712.
FIG. 8 illustrates anexample user interface800 describing remote access information associated with the selected user account. Theuser interface800 can be presented, by the system, upon user selection of the “Remote Access” selectable option. As described above, the “Remote Access” selectable option provides information describing user behavior associated with initiating access to the selecteduser account802.
Theuser interface800 includesselectable options804 associated with different types of information related to “Remote Access.” Upon selection of anoption804, the system can provide information as a chart, or graph, describing the selected option in a “Remote Access Timeline”806. The “Remote Access Timeline”806 provides information associated with eachoption804, from a date range identified by the reviewing user, in a legible chart or graph format.
For instance, for theselectable option804 “Country”, the system can provide achart806 of the specific countries from which the selecteduser account802 was accessed, on particular dates in a date range identified by the reviewing user.
Similarly, for theselectable options804 “Region” and “City”, the system can provide achart806 of the specific regions, and cities, from which the selecteduser account802 was accessed.
Theselectable options804 further include “Client Host Name”, and upon selection of the “Client Host Name” option, the system can provide achart806 of specific network accessible systems the selecteduser account802 utilized to access one or more networks of interest to the reviewing user. An example of the reviewing user selecting “Client Host Name” is described below, with reference toFIG. 9.
Theuser interface800 further includes information describing ageographic origin808, and an identification of countries, and cities, from which the selecteduser account802 was accessed from, compared against a number of remote access sessions to the selecteduser account802.
FIG. 9 illustrates anexample user interface900 provided upon selection of a “Client Hostname” selectable option. As described above, with reference toFIG. 8, theuser interface800 includes selectable options, which upon selection cause the system to provide information in a chart, or graph, related to the selectable option. In theuser interface900, the reviewing user has selected “Client Hostname”904, and the “Remote Access Timeline”906 is updated to chart the network accessible systems used (e.g., client computer as indicated inFIG. 9) utilized by the selected user account902 (e.g., to access the networks) in a time period selected by the reviewing user. Thechart906 includes times (e.g., dates included in the selected time period) mapped against a number of remote access sessions involving particular network accessible systems. For instance, a network accessible system associated with a name “KLT-US-RPER” was used by the selecteduser account902 to access the networks. Thechart906 illustrates that the network accessible system was used twice by the selecteduser account902 on “2015-04-03”.
As an example, the reviewing user can utilize theuser interface900 to identify all network accessible systems used by the selected user account902 (e.g., from the chart906).
Theuser interface900 further includes information associated with the network accessible systems (e.g., “Client Computer Attributes”908), and includes operating systems utilized910, specific versions of software installed on each network accessible system, user access rights associated with each system, and so on. The information can be user selectable, and upon selection of a particular portion of information, the system can provide information regarding the selected portion.
For instance, the reviewing user can select a particular operating system910 (e.g., “Windows 7”), and theuser interface900 can be updated to identify the network accessible systems used by the selecteduser account902 that utilize the particular operating system. Additionally, the updated user interface can include specific version information (e.g., patches installed) for each network accessible system that utilizes the particular operating system. In this way, the reviewing user can identify whether a malicious actor might have obtained access to a network accessible system (e.g., to use the network accessible system to access the networks) that is utilizing an operating system with an old version.
FIG. 10 illustrates an example user interface1000 describing user chaining information associated with user accounts identified for review. As described above, user chaining includes user behavior of user accounts after the user accounts are accessed. User behavior for a particular user account can include transitioning (e.g., switching) to a different user account and/or different network accessible system (e.g., different host). The user interface1000 can be presented upon receiving a request, from a user, identifying that he/she wants to view user chaining information. For instance, the user can access a web page, and select an option identifying “User Chaining”.
The user interface1000 includes an identification of a number of “Remote Users”1002 (e.g., user accounts which were used in remote sessions), a number of “Target Users”1004 (e.g., a number of user accounts that were transitioned to from an initially utilized user account), and a number of “Target Hosts”1006 (e.g., a number of transitioned to network accessible systems that were).
When determining a user chaining score (e.g., described above with reference toFIG. 4), the system determines whether a particular user account transitioned to another user account with escalated privileges. Since an employee might have two user accounts (e.g., one user account with normal privileges, and one user account with escalated privileges to perform administrator functions), the system determines whether the transition to a second user account occurred by a same employee associated with each user account.
That is, a transition to a privileged user account from a non-privileged user account can be identified as a “Privileged Match”1008, if each user account is associated with a same employee. Similarly, a transition to a privileged user account from a non-privileged user account can be identified as a “Privileged Non-Match”1010, if each user account is not associated with a same employee. The “Privileged Non-Match”1010 can indicate that a malicious actor was able to improperly transition to a privileged user account.
The user interface1000 includes representations of a number of different user account transitions, including a number of “Privileged Match”1008 user account transitions, a number of “Exact Match” transitions (e.g., a number of user accounts that transitioned to a non-privileged user account, with each transition associated with a same employee), a number of “Privileged Match”1010 transitions, a number of “No Match” transitions (e.g., a number of user accounts that transitioned to a non-privileged user account, with each transition associated with a different employee), and a number of “Service Accounts” (e.g., a number of transitions to service accounts).
The user interface1000 identifies user accounts1012 that transitioned to a different user account, along with information describing the transition. For instance, a first entry identifies an “Event Time” (e.g., a time the transition occurred), a source user account1012 (e.g., “add64”), an internal Internet Protocol (IP) address associated with the source user account1012, a “Match Type” (e.g., a transition type which as illustrated is “Privileged Match”), a target user account (e.g., “cm-add64”), and a “Target Host” (e.g., a target network accessible system). The user interface1000 further identifies a “Triage Status”1014, which as described above identifies whether a particular user account has been reviewed by a reviewing user. A reviewing user can determine (e.g., based off a target host), that a target host is a high value target (e.g., a domain controller), and determine that a user account was likely compromised based on a review of the ‘Source User’ (e.g., an employee that does not deal with network security likely should not be accessing to a domain controller).
FIG. 11 illustrates anexample user interface1100 describing user chaining information associated with a selected user account. In the example ofFIG. 11, the reviewing user has selected auser account1102 to review (e.g., “cxh01”).
Upon selection, theuser interface1100 updates the number of remote users, the number of target users (e.g., the number of non-unique target user accounts transitioned to), and the number of target network accessible systems (e.g., described above inFIG. 10), and includes information solely associated with the selected user account1012.
The reviewing user can utilize theuser interface1102 to determine that a malicious actor is controlling the selecteduser account1102. For instance, the selecteduser account1102 transitioned to nine user accounts, with each transition identified as a “Privileged Non Match”, indicating the selecteduser account1102 is not associated with the same employee as the transitioned privileged user accounts. Furthermore, the reviewing user can identify that a particular network accessible system accessed by (e.g., transitioned to by) a privileged user account is a particularly important network accessible system. For instance, as illustrated, the highlighted networkaccessible system1104 is a domain controller, which is a system that responds to, and handles, security authorization requests for user accounts.
FIG. 12 illustrates anexample user interface1200 that includes detailed user chaining information associated with a selecteduser account1202. Theuser interface1200 can be presented upon selection of theuser account1102 described inFIG. 11.
Theuser interface1200 includes a number of determined user chaining alerts for all time (e.g., generated based off the user chaining score described inFIG. 4), a number of user chaining alerts for the selected time period, a number of remote access sessions initiated by different virtual private network (VPN) sessions, and a number of unique target users transitioned to by the selecteduser account1202.
To help the reviewing user visualize user chaining of the selecteduser account1202, the system can generate aconnected graph1204 that illustrates the transitions between user accounts. For instance, thefirst row1206 of theconnected graph1204 illustrates unique VPN connections (e.g., 5 VPN connections) that accessed the selecteduser account1202. Thesecond row1208 illustrates user accounts that were transitioned to from the selecteduser account1202. Similarly, thethird row1210 illustrates user accounts transitioned to from thesecond row1208 of user accounts, and the fourth1212 row illustrates user accounts transitioned to from thethird row1210.
As described above, with reference toFIG. 4, the system can monitor user accounts transitioned to from a particular user account by monitoring IP addresses, and system logs (e.g., operating system logs) associated with each user account transition. For instance, thefirst row1206 identifies initial VPN connections to the selecteduser account1202. The system can monitor the network accessible systems accessed by the initial VPN connection, and then upon a transition, the system can obtain system logs and determine an IP address associated with the VPN connection that accessed a different user account and network accessible system. In this way, the system can follow user behavior across multiple user accounts, and provide theconnected graph1204 to explain the transitions to a reviewing user.
As an example of determining user transitions, when a user comes onto the network remotely they are assigned a unique IP. The system can then look for logons on different machines that have a network logon originating from the unique IP assigned above during the time of the user's session. If the user account being used on the different machine differs from the user remotely accessing the network, then that is the behavior we are describing.
Additionally, as described above (e.g., inFIG. 3), the system can identify particular user accounts for review based on user compromise scores. In some implementations, the system can actively monitor and determine user compromise scores, and upon determining that one or more of the user compromise scores for a particular user account exceed a threshold, can trigger notifications to be provided to a user device for review. That is, the user device can execute an application in communication with the system (e.g., a specific application associated with user account monitoring), and the system can trigger the user device to present information describing the particular user account. Additional notifications can include e-mails, SMS, MMS, texts, phone call, and so on. In this way, the system can ensure that time-sensitive information associated with user accounts timely reaches an intended user (e.g., by activating an associated user device).
Each of the processes, methods, and algorithms described in the preceding sections may be embodied in, and fully or partially automated by, code modules executed by one or more computer systems or computer processors comprising computer hardware. The code modules (or “engines”) may be stored on any type of non-transitory computer-readable medium or computer storage device, such as hard drives, solid state memory, optical disc, and/or the like. The systems and modules may also be transmitted as generated data signals (for example, as part of a carrier wave or other analog or digital propagated signal) on a variety of computer-readable transmission mediums, including wireless-based and wired/cable-based mediums, and may take a variety of forms (for example, as part of a single or multiplexed analog signal, or as multiple discrete digital packets or frames). The processes and algorithms may be implemented partially or wholly in application-specific circuitry. The results of the disclosed processes and process steps may be stored, persistently or otherwise, in any type of non-transitory computer storage such as, for example, volatile or non-volatile storage.
In general, the terms “engine” and “module”, as used herein, refer to logic embodied in hardware or firmware, or to a collection of software instructions, possibly having entry and exit points, written in a programming language, such as, for example, Java, Lua, C or C++. A software module may be compiled and linked into an executable program, installed in a dynamic link library, or may be written in an interpreted programming language such as, for example, BASIC, Perl, or Python. It will be appreciated that software modules may be callable from other modules or from themselves, and/or may be invoked in response to detected events or interrupts. Software modules configured for execution on computing devices may be provided on a computer readable medium, such as a compact disc, digital video disc, flash drive, or any other tangible medium. Such software code may be stored, partially or fully, on a memory device of the executing computing device, such as the useraccount compromise system100, for execution by the computing device. Software instructions may be embedded in firmware, such as an EPROM. It will be further appreciated that hardware modules may be comprised of connected logic units, such as gates and flip-flops, and/or may be comprised of programmable units, such as programmable gate arrays or processors. The modules described herein are preferably implemented as software modules, but may be represented in hardware or firmware. Generally, the modules described herein refer to logical modules that may be combined with other modules or divided into sub-modules despite their physical organization or storage. Electronic Data Sources can include databases, volatile/non-volatile memory, and any memory system or subsystem that maintains information.
The various features and processes described above may be used independently of one another, or may be combined in various ways. All possible combinations and subcombinations are intended to fall within the scope of this disclosure. In addition, certain method or process blocks may be omitted in some implementations. The methods and processes described herein are also not limited to any particular sequence, and the blocks or states relating thereto can be performed in other sequences that are appropriate. For example, described blocks or states may be performed in an order other than that specifically disclosed, or multiple blocks or states may be combined in a single block or state. The example blocks or states may be performed in serial, in parallel, or in some other manner. Blocks or states may be added to or removed from the disclosed example embodiments. The example systems and components described herein may be configured differently than described. For example, elements may be added to, removed from, or rearranged compared to the disclosed example embodiments.
Conditional language used herein, such as, among others, “can,” “could,” “might,” “may,” “for example,” and the like, unless specifically stated otherwise, or otherwise understood within the context as used, is generally intended to convey that certain embodiments include, while other embodiments do not include, certain features, elements and/or steps. Thus, such conditional language is not generally intended to imply that features, elements and/or steps are in any way required for one or more embodiments or that one or more embodiments necessarily include logic for deciding, with or without author input or prompting, whether these features, elements and/or steps are included or are to be performed in any particular embodiment. The terms “comprising,” “including,” “having,” and the like are synonymous and are used inclusively, in an open-ended fashion, and do not exclude additional elements, features, acts, operations, and so forth. Also, the term “or” is used in its inclusive sense (and not in its exclusive sense) so that when used, for example, to connect a list of elements, the term “or” means one, some, or all of the elements in the list. Conjunctive language such as the phrase “at least one of X, Y and Z,” unless specifically stated otherwise, is otherwise understood with the context as used in general to convey that an item, term, etc. may be either X, Y or Z. Thus, such conjunctive language is not generally intended to imply that certain embodiments require at least one of X, at least one of Y and at least one of Z to each be present.
While certain example embodiments have been described, these embodiments have been presented by way of example only, and are not intended to limit the scope of the disclosure. Thus, nothing in the foregoing description is intended to imply that any particular element, feature, characteristic, step, module, or block is necessary or indispensable. Indeed, the novel methods and systems described herein may be embodied in a variety of other forms; furthermore, various omissions, substitutions, and changes in the form of the methods and systems described herein may be made without departing from the spirit of the inventions disclosed herein. The accompanying claims and their equivalents are intended to cover such forms or modifications as would fall within the scope and spirit of certain of the inventions disclosed herein.
Any process descriptions, elements, or blocks in the flow diagrams described herein and/or depicted in the attached figures should be understood as potentially representing modules, segments, or portions of code which include one or more executable instructions for implementing specific logical functions or steps in the process. Alternate implementations are included within the scope of the embodiments described herein in which elements or functions may be deleted, executed out of order from that shown or discussed, including substantially concurrently or in reverse order, depending on the functionality involved, as would be understood by those skilled in the art.
It should be emphasized that many variations and modifications may be made to the above-described embodiments, the elements of which are to be understood as being among other acceptable examples. All such modifications and variations are intended to be included herein within the scope of this disclosure. The foregoing description details certain embodiments of the invention. It will be appreciated, however, that no matter how detailed the foregoing appears in text, the invention can be practiced in many ways. As is also stated above, it should be noted that the use of particular terminology when describing certain features or aspects of the invention should not be taken to imply that the terminology is being re-defined herein to be restricted to including any specific characteristics of the features or aspects of the invention with which that terminology is associated.

Claims (20)

What is claimed is:
1. A computerized method performed by one or more computer systems, the method comprising:
accessing network access logs associated with a plurality of network accessible systems, the network access logs being generated in response to network actions associated with a plurality of user accounts, the user accounts each associated with, in the network access logs, one or more IP addresses of corresponding user devices;
determining, based at least on the network access logs, information indicative of user accounts exhibiting high-risk behavior, the information including, for each of one or more user accounts, a transition from the user account to a subsequent user account associated with a different user, the transition being associated with escalated user privileges, wherein the user account transitions are determined based, at least in part, on monitoring IP addresses indicated in the network access logs; and
providing, for presentation in an interactive user interface, information describing a set of user accounts and corresponding determined information, wherein the interactive user interface is configured to receive user actions associated with preventing an attack on one or more networks, wherein the user actions comprise one or more of selecting specific user accounts for more detailed information or generating information to be presented to specific user accounts.
2. The computerized method ofclaim 1, wherein the determined information indicative of a particular user account exhibiting high-risk behavior comprises one or more of information indicating network accessible systems not normally used by the particular user account to access the one or more networks, likelihoods associated with a single user being able to access the particular user account from different locations within threshold periods of times, information associated with traversing the network accessible systems, or information indicating risks and/or abnormalities associated with geographic locations from which the particular user account was used.
3. The computerized method ofclaim 2, wherein determining information indicative of the particular user account exhibiting high-risk behavior is based, at least in part, on historical user behavior of the particular user account.
4. The computerized method ofclaim 1, wherein the network access logs comprise virtual private network (VPN) logs, Active Directory (AD) logs, firewall logs, user account access records, system logs, and wherein the network accessible systems comprise server systems, domain controllers, computers, laptops, checkout systems, point of sale systems, firewalls, VPN servers.
5. The computerized method ofclaim 1, further comprising:
receiving, from a user device presenting the interactive user interface, a request to receive information specific to a particular user account of the set of user accounts, the request identifying a particular time period;
obtaining data describing network actions of the particular user account during the particular time period; and
determining updated information indicative of the particular user account exhibiting high-risk behavior, thereby enabling comparisons based on time period.
6. The computerized method ofclaim 1, wherein the interactive user interface:
presents summary information associated with the set of user accounts, the summary information:
identifying transitions initiating from user accounts of the set of user accounts to respective subsequent user accounts, and
identifying whether each transition is associated with escalated user privileged; and
enables user actions associated with preventing an attack.
7. The computerized method ofclaim 6, wherein the interactive user interface presents information identifying that a first user account and a subsequent user account identified by a particular transition are user accounts of a same user.
8. The computerized method ofclaim 6, further comprising:
receiving, from a user device presenting the interactive user interface, a selection of a particular user account of the set of user accounts; and
updating the interactive user interface, such that the interactive user interface presents a visual representation of a graph illustrating transitions from (1) particular user account to subsequent user accounts, and/or (2) transitions from the subsequent user accounts to additional subsequent user accounts.
9. The computerized method ofclaim 1, further comprising:
causing activation of an application executing on a particular user device, the application being triggered to present information describing the set of user accounts, such that time-sensitive information is presented to a user of the particular user device.
10. A system comprising one or more computer systems and one or more computer storage media storing instructions that when executed by the one or more computer systems cause the one or more computer systems to perform operations comprising:
accessing network access logs associated with a plurality of network accessible systems, the network access logs indicating network actions associated with a plurality of user accounts, the user accounts each associated with, in the network access logs, one or more IP addresses of corresponding user devices;
determining, based at least on the network access logs, information indicative of user accounts exhibiting high-risk behavior, the information including, for each of one or more user accounts, a transition from the user account to a subsequent user account associated with a different user, the transition being associated with escalated user privileges, wherein the user account transitions are determined based, at least in part, on monitoring IP addresses indicated in the network access logs; and
providing, for presentation in an interactive user interface, information describing a set of user accounts and corresponding determined information, wherein the interactive user interface is configured to receive user actions associated with preventing an attack on one or more networks, wherein the user actions comprise one or more of selecting specific user accounts for more detailed information or generating information to be presented to specific user accounts.
11. The system ofclaim 10, wherein the determined information indicative of a particular user account exhibiting high-risk behavior comprises one or more of information indicating network accessible systems not normally used by the particular user account to access the one or more networks, likelihoods associated with a single user being able to access the particular user account from different locations within threshold periods of times, information associated with traversing the network accessible systems, or information indicating risks and/or abnormalities associated with geographic locations from which the particular user account was used.
12. The system ofclaim 11, wherein determining information indicative of the particular user account exhibiting high-risk behavior is based, at least in part, on historical user behavior of the particular user account.
13. The system ofclaim 10, wherein the operations further comprise:
receiving, from a user device presenting the interactive user interface, a request to receive information specific to a particular user account of the set of user accounts, the request identifying a particular time period;
obtaining data describing network actions of the particular user account during the particular time period; and
determining updated information indicative of the particular user account exhibiting high-risk behavior, thereby enabling comparisons based on time period.
14. The system ofclaim 10, wherein the interactive user interface:
presents summary information associated with the set of user accounts, the summary information:
identifying transitions initiating from user accounts of the set of user accounts to respective subsequent user accounts, and
identifying whether each transition is associated with escalated user privileged; and
enables user actions associated with preventing an attack.
15. The system ofclaim 14, wherein the interactive user interface presents information identifying that a first user account and a subsequent user account identified by a particular transition are user accounts of a same user.
16. The system ofclaim 15, wherein the operations further comprise:
receiving, from a user device presenting the interactive user interface, a selection of a particular user account of the set of user accounts; and
updating the interactive user interface, such that the interactive user interface presents a visual representation of a graph illustrating transitions from (1) particular user account to subsequent user accounts, and/or (2) transitions from the subsequent user accounts to additional subsequent user accounts.
17. Non-transitory computer storage media storing instructions that when executed one or more computer systems cause the one or more computer systems to perform operations comprising:
accessing network access logs associated with a plurality of network accessible systems, the network access logs indicating network actions associated with a plurality of user accounts, the user accounts each associated with, in the network access logs, one or more IP addresses of corresponding user devices;
determining, based at least on the network access logs, information indicative of user accounts exhibiting high-risk behavior, the information including, for each of one or more user accounts, a transition from the user account to a subsequent user account associated with a different user, the transition being associated with escalated user privileges, wherein the user account transitions are determined based, at least in part, on monitoring IP addresses indicated in the network access logs; and
providing, for presentation in an interactive user interface, information describing a set of user accounts and corresponding determined information, wherein the interactive user interface is configured to receive user actions associated with preventing an attack on one or more networks, wherein the user actions comprise one or more of selecting specific user accounts for more detailed information or generating information to be presented to specific user accounts.
18. The non-transitory computer storage ofclaim 17, wherein the determined information indicative of a particular user account exhibiting high-risk behavior comprises one or more of information indicating network accessible systems not normally used by the particular user account to access the one or more networks, likelihoods associated with a single user being able to access the particular user account from different locations within threshold periods of times, information associated with traversing the network accessible systems, or information indicating risks and/or abnormalities associated with geographic locations from which the particular user account was used.
19. The non-transitory computer storage ofclaim 17, wherein the interactive user interface:
presents summary information associated with the set of user accounts, the summary information:
identifying transitions initiating from user accounts of the set of user accounts to respective subsequent user accounts, and
identifying whether each transition is associated with escalated user privileged; and
enables user actions associated with preventing an attack.
20. The non-transitory computer storage ofclaim 19, wherein the operations further comprise:
receiving, from a user device presenting the interactive user interface, a selection of a particular user account of the set of user accounts; and
updating the interactive user interface, such that the interactive user interface presents a visual representation of a graph illustrating transitions from (1) particular user account to subsequent user accounts, and/or (2) transitions from the subsequent user accounts to additional subsequent user accounts.
US15/395,4832015-08-192016-12-30Anomalous network monitoring, user behavior detection and database systemActiveUS10129282B2 (en)

Priority Applications (2)

Application NumberPriority DateFiling DateTitle
US15/395,483US10129282B2 (en)2015-08-192016-12-30Anomalous network monitoring, user behavior detection and database system
US16/186,801US11470102B2 (en)2015-08-192018-11-12Anomalous network monitoring, user behavior detection and database system

Applications Claiming Priority (3)

Application NumberPriority DateFiling DateTitle
US201562207272P2015-08-192015-08-19
US14/982,699US9537880B1 (en)2015-08-192015-12-29Anomalous network monitoring, user behavior detection and database system
US15/395,483US10129282B2 (en)2015-08-192016-12-30Anomalous network monitoring, user behavior detection and database system

Related Parent Applications (1)

Application NumberTitlePriority DateFiling Date
US14/982,699ContinuationUS9537880B1 (en)2015-08-192015-12-29Anomalous network monitoring, user behavior detection and database system

Related Child Applications (1)

Application NumberTitlePriority DateFiling Date
US16/186,801ContinuationUS11470102B2 (en)2015-08-192018-11-12Anomalous network monitoring, user behavior detection and database system

Publications (2)

Publication NumberPublication Date
US20170111381A1 US20170111381A1 (en)2017-04-20
US10129282B2true US10129282B2 (en)2018-11-13

Family

ID=57682256

Family Applications (3)

Application NumberTitlePriority DateFiling Date
US14/982,699ActiveUS9537880B1 (en)2015-08-192015-12-29Anomalous network monitoring, user behavior detection and database system
US15/395,483ActiveUS10129282B2 (en)2015-08-192016-12-30Anomalous network monitoring, user behavior detection and database system
US16/186,801ActiveUS11470102B2 (en)2015-08-192018-11-12Anomalous network monitoring, user behavior detection and database system

Family Applications Before (1)

Application NumberTitlePriority DateFiling Date
US14/982,699ActiveUS9537880B1 (en)2015-08-192015-12-29Anomalous network monitoring, user behavior detection and database system

Family Applications After (1)

Application NumberTitlePriority DateFiling Date
US16/186,801ActiveUS11470102B2 (en)2015-08-192018-11-12Anomalous network monitoring, user behavior detection and database system

Country Status (2)

CountryLink
US (3)US9537880B1 (en)
EP (2)EP3133522B1 (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication numberPriority datePublication dateAssigneeTitle
US10609046B2 (en)2014-08-132020-03-31Palantir Technologies Inc.Unwanted tunneling alert system
US10735448B2 (en)2015-06-262020-08-04Palantir Technologies Inc.Network anomaly detection
US11128649B1 (en)2019-03-062021-09-21Trend Micro IncorporatedSystems and methods for detecting and responding to anomalous messaging and compromised accounts
US11165817B2 (en)*2019-10-242021-11-02Arbor Networks, Inc.Mitigation of network denial of service attacks using IP location services
US11212306B2 (en)*2016-09-062021-12-28Accenture Global Solutions LimitedGraph database analysis for network anomaly detection systems
US11397723B2 (en)2015-09-092022-07-26Palantir Technologies Inc.Data integrity checks
US11418529B2 (en)2018-12-202022-08-16Palantir Technologies Inc.Detection of vulnerabilities in a computer network
US11470102B2 (en)2015-08-192022-10-11Palantir Technologies Inc.Anomalous network monitoring, user behavior detection and database system
US20220385684A1 (en)*2021-06-012022-12-01Cytwist Ltd.Artificial intelligence cyber identity classification
CN117675506A (en)*2023-10-162024-03-08北京智慧城市网络有限公司Intelligent network operation and maintenance management method and system based on user behavior analysis

Families Citing this family (64)

* Cited by examiner, † Cited by third party
Publication numberPriority datePublication dateAssigneeTitle
US10044745B1 (en)2015-10-122018-08-07Palantir Technologies, Inc.Systems for computer network security risk assessment including user compromise analysis associated with a network of devices
WO2017196430A1 (en)*2016-05-112017-11-16Acalvio Technologies, Inc.Systems and methods for identifying similar hosts
US11301550B2 (en)*2016-09-072022-04-12Cylance Inc.Computer user authentication using machine learning
US10291638B1 (en)*2016-09-082019-05-14Skyhigh Networks, LlcCloud activity threat detection for sparse and limited user behavior data
US10395016B2 (en)*2017-01-242019-08-27International Business Machines CorporationCommunication pattern recognition
NO20170249A1 (en)*2017-02-202018-08-21Jazz Networks LtdSecure access by behavior recognition
US10565373B1 (en)*2017-02-212020-02-18Ca, Inc.Behavioral analysis of scripting utility usage in an enterprise
US10313386B1 (en)*2017-03-282019-06-04Symantec CorporationSystems and methods for assessing security risks of users of computer networks of organizations
US11194915B2 (en)*2017-04-142021-12-07The Trustees Of Columbia University In The City Of New YorkMethods, systems, and media for testing insider threat detection systems
US11394731B2 (en)*2017-05-162022-07-19Citrix Systems, Inc.Computer system providing anomaly detection within a virtual computing sessions and related methods
CN107357809B (en)*2017-05-272021-05-07国家电网公司Mass platform Highsoon real-time library measurement data access system
US10341372B2 (en)*2017-06-122019-07-02International Business Machines CorporationClustering for detection of anomalous behavior and insider threat
CN107563194A (en)*2017-09-042018-01-09杭州安恒信息技术有限公司Latency steals user data behavioral value method and device
CN108197444A (en)*2018-01-232018-06-22北京百度网讯科技有限公司Right management method, device and server under a kind of distributed environment
EP3759633A1 (en)*2018-02-282021-01-06Cyber Defence Qcd CorporationMethods and systems for cyber-monitoring and visually depicting cyber-activities
JP7200496B2 (en)*2018-03-302023-01-10日本電気株式会社 Information processing device, control method, and program
US10764303B2 (en)*2018-04-252020-09-01Microsoft Technology Licensing, LlcDetecting unauthorized cloud access by detecting malicious velocity incidents
US20200244693A1 (en)*2018-07-242020-07-30University Of New BrunswickSystems and methods for cybersecurity risk assessment of users of a computer network
US11899763B2 (en)*2018-09-172024-02-13Microsoft Technology Licensing, LlcSupervised learning system for identity compromise risk computation
US10938846B1 (en)*2018-11-202021-03-02Trend Micro IncorporatedAnomalous logon detector for protecting servers of a computer network
US11032312B2 (en)2018-12-192021-06-08Abnormal Security CorporationProgrammatic discovery, retrieval, and analysis of communications to identify abnormal communication activity
US11431738B2 (en)2018-12-192022-08-30Abnormal Security CorporationMultistage analysis of emails to identify security threats
US11050793B2 (en)2018-12-192021-06-29Abnormal Security CorporationRetrospective learning of communication patterns by machine learning models for discovering abnormal behavior
US11824870B2 (en)2018-12-192023-11-21Abnormal Security CorporationThreat detection platforms for detecting, characterizing, and remediating email-based threats in real time
US11223638B2 (en)*2018-12-272022-01-11Rapid7, Inc.Stable network user account classifier
US11487873B2 (en)*2019-01-222022-11-01EMC IP Holding Company LLCRisk score generation utilizing monitored behavior and predicted impact of compromise
US12170680B2 (en)2019-02-132024-12-17Obsidian Security, Inc.Systems and methods for detecting security incidents across cloud-based application services
US11463462B2 (en)*2019-06-172022-10-04Microsoft Technology Licensing, LlcBot behavior detection
US10992696B2 (en)2019-09-042021-04-27Morgan Stanley Services Group Inc.Enterprise-level security method and system
US10754506B1 (en)*2019-10-072020-08-25Cyberark Software Ltd.Monitoring and controlling risk compliance in network environments
TWI726449B (en)*2019-10-182021-05-01臺灣銀行股份有限公司Network attack analysis method
US12132747B2 (en)*2019-10-222024-10-29Microsoft Technology Licensing, LlcUser impact potential for security alert management
US11165815B2 (en)*2019-10-282021-11-02Capital One Services, LlcSystems and methods for cyber security alert triage
US11483327B2 (en)*2019-11-172022-10-25Microsoft Technology Licensing, LlcCollaborative filtering anomaly detection explainability
US20210158348A1 (en)*2019-11-212021-05-27Paypal, Inc.Tracking device identification data and account activities for account classification
US12217205B1 (en)2019-12-112025-02-04Wells Fargo Bank, N.A.Computer systems for analyzing and presenting alert-based information
US10992972B1 (en)*2019-12-312021-04-27Adobe Inc.Automatic identification of impermissable account sharing
WO2021148145A1 (en)*2020-01-202021-07-29Atos Information Technology GmbHMethod for intrusion detection to detect malicious insider threat activities and system for intrusion detection
US11567847B2 (en)*2020-02-042023-01-31International Business Machines CorporationIdentifying anomolous device usage based on usage patterns
US11470042B2 (en)2020-02-212022-10-11Abnormal Security CorporationDiscovering email account compromise through assessments of digital activities
US11477234B2 (en)2020-02-282022-10-18Abnormal Security CorporationFederated database for establishing and tracking risk of interactions with third parties
US11252189B2 (en)2020-03-022022-02-15Abnormal Security CorporationAbuse mailbox for facilitating discovery, investigation, and analysis of email-based threats
WO2021178423A1 (en)2020-03-022021-09-10Abnormal Security CorporationMultichannel threat detection for protecting against account compromise
US11451576B2 (en)2020-03-122022-09-20Abnormal Security CorporationInvestigation of threats using queryable records of behavior
EP4139801A4 (en)2020-04-232024-08-14Abnormal Security CorporationDetection and prevention of external fraud
US10887337B1 (en)*2020-06-172021-01-05Confluera, Inc.Detecting and trail-continuation for attacks through remote desktop protocol lateral movement
US20210397903A1 (en)*2020-06-182021-12-23Zoho Corporation Private LimitedMachine learning powered user and entity behavior analysis
US11528242B2 (en)2020-10-232022-12-13Abnormal Security CorporationDiscovering graymail through real-time analysis of incoming email
US20220159029A1 (en)*2020-11-132022-05-19Cyberark Software Ltd.Detection of security risks based on secretless connection data
US11687648B2 (en)2020-12-102023-06-27Abnormal Security CorporationDeriving and surfacing insights regarding security threats
US12388866B2 (en)2021-02-232025-08-12Saudi Arabian Oil CompanySystems and methods for malicious URL pattern detection
US11943200B2 (en)2021-03-162024-03-26Saudi Arabian Oil CompanySystems and methods for detecting anomalous virtual private network sessions using machine learning
US12028363B2 (en)*2021-04-152024-07-02Bank Of America CorporationDetecting bad actors within information systems
US11887143B2 (en)*2021-04-222024-01-30Capital One Services, LlcRecord management system for enabling access to a record
US11831661B2 (en)2021-06-032023-11-28Abnormal Security CorporationMulti-tiered approach to payload detection for incoming communications
US20230007023A1 (en)*2021-06-302023-01-05Dropbox, Inc.Detecting anomalous digital actions utilizing an anomalous-detection model
US11372921B1 (en)*2021-07-292022-06-28Accenture Global Solutions LimitedActive directory management and remediation
US20230049749A1 (en)*2021-08-132023-02-16People Center, Inc.Resource Provisioning Based on Estimation of Risk
US11397808B1 (en)2021-09-022022-07-26Confluera, Inc.Attack detection based on graph edge context
JP7689043B2 (en)*2021-09-102025-06-05日立ヴァンタラ株式会社 Management system, management method using the management system, and computer program
US11893125B2 (en)*2021-10-142024-02-06Cohesity, Inc.Providing a graphical representation of anomalous events
US12282546B2 (en)*2021-11-012025-04-22Microsoft Technology Licensing, LlcAbnormal classic authorization detection systems
US20240095385A1 (en)*2022-09-212024-03-21Accenture Global Solutions LimitedDataset privacy management system
US11750643B1 (en)*2022-10-112023-09-05Second Sight Data Discovery, Inc.Apparatus and method for determining a recommended cyber-attack risk remediation action

Citations (141)

* Cited by examiner, † Cited by third party
Publication numberPriority datePublication dateAssigneeTitle
US5978475A (en)1997-07-181999-11-02Counterpane Internet Security, Inc.Event auditing system
US6253203B1 (en)1998-10-022001-06-26Ncr CorporationPrivacy-enhanced database
US20020112157A1 (en)1997-09-222002-08-15Proofspace, Inc.System and method for widely witnessed proof of time
US6725240B1 (en)2000-08-082004-04-20International Business Machines CorporationApparatus and method for protecting against data tampering in an audit subsystem
US20040123139A1 (en)2002-12-182004-06-24At&T Corp.System having filtering/monitoring of secure connections
US20040153418A1 (en)2003-02-052004-08-05Hanweck Gerald AlfredSystem and method for providing access to data from proprietary tools
US6807569B1 (en)2000-09-122004-10-19Science Applications International CorporationTrusted and anonymous system and method for sharing threat data to industry assets
US20040250124A1 (en)2003-05-192004-12-09Vsecure Technologies (Us) Inc.Dynamic network protection
WO2005010685A2 (en)2003-07-182005-02-03Corestreet, Ltd.Controlling access to an area
US20050125295A1 (en)2003-12-092005-06-09Tidwell Lisa C.Systems and methods for obtaining payor information at a point of sale
US20050157662A1 (en)*2004-01-202005-07-21Justin BinghamSystems and methods for detecting a compromised network
US20050229256A2 (en)2001-12-312005-10-13Citadel Security Software Inc.Automated Computer Vulnerability Resolution System
EP1589716A1 (en)2004-04-202005-10-26Ecole Polytechnique Fédérale de Lausanne (EPFL)Method of detecting anomalous behaviour in a computer network
US20050262556A1 (en)2004-05-072005-11-24Nicolas WaismanMethods and apparatus for computer network security using intrusion detection and prevention
US20050275638A1 (en)2003-03-282005-12-15Microsoft CorporationDynamic feedback for gestures
US20060021049A1 (en)2004-07-222006-01-26Cook Chad LTechniques for identifying vulnerabilities in a network
US20060031928A1 (en)2004-08-092006-02-09Conley James WDetector and computerized method for determining an occurrence of tunneling activity
US7013395B1 (en)2001-03-132006-03-14Sandra CorporationMethod and tool for network vulnerability analysis
US7017046B2 (en)1997-09-222006-03-21Proofspace, Inc.System and method for graphical indicia for the certification of records
US20060069912A1 (en)2003-05-302006-03-30Yuliang ZhengSystems and methods for enhanced network security
US7069586B1 (en)2000-04-032006-06-27Software Secure, Inc.Securely executing an application on a computer system
US20060156407A1 (en)2002-09-302006-07-13Cummins Fred AComputer model of security risks
US20060179003A1 (en)2000-11-072006-08-10Enfotrust Networks, Inc.Consumer-controlled limited and constrained access to a centrally stored information account
US20060212931A1 (en)2005-03-022006-09-21Markmonitor, Inc.Trust evaluation systems and methods
US20060218637A1 (en)2005-03-242006-09-28Microsoft CorporationSystem and method of selectively scanning a file on a computing device for malware
US20060265324A1 (en)2005-05-182006-11-23AlcatelSecurity risk analysis systems and methods
US20060265747A1 (en)2002-03-082006-11-23Ciphertrust, Inc.Systems and Methods For Message Threat Management
US20060265751A1 (en)2005-05-182006-11-23AlcatelCommunication network security risk exposure management systems and methods
US20070067846A1 (en)2005-09-222007-03-22AlcatelSystems and methods of associating security vulnerabilities and assets
US20070143851A1 (en)2005-12-212007-06-21FiberlinkMethod and systems for controlling access to computing resources based on known security vulnerabilities
US20070214115A1 (en)2006-03-132007-09-13Microsoft CorporationEvent detection based on evolution of click-through data
US7287689B2 (en)2003-12-092007-10-30First Data CorporationSystems and methods for assessing the risk of a financial transaction using authenticating marks
US20070294766A1 (en)2006-06-142007-12-20Microsoft CorporationEnterprise threat modeling
US20080005555A1 (en)2002-10-012008-01-03Amnon LotemSystem, method and computer readable medium for evaluating potential attacks of worms
US20080082380A1 (en)2006-05-192008-04-03Stephenson Peter RMethod for evaluating system risk
US20080104407A1 (en)2006-10-312008-05-01Hewlett-Packard Development Company, L.P.Audit-log integrity using redactable signatures
US20080201580A1 (en)2007-02-212008-08-21Stephen SavitzkyTrustworthy timestamps and certifiable clocks using logs linked by cryptographic hashes
US20080222706A1 (en)*2007-03-062008-09-11Martin RenaudGlobally aware authentication system
US20080229422A1 (en)2007-03-142008-09-18Microsoft CorporationEnterprise security assessment sharing
US20090103442A1 (en)2007-09-282009-04-23Richard DouvilleCommunicating risk information within a multi-domain network
US20090228701A1 (en)2008-03-042009-09-10Industrial Technology Research InstituteLogging system and method based on one-way hash function
US7596285B2 (en)2004-02-262009-09-29International Business Machines CorporationProviding a portion of an electronic mail message at a reduced resolution
US20090292743A1 (en)2008-05-212009-11-26Bigus Joseph PModeling user access to computer resources
US20090328222A1 (en)2008-06-252009-12-31Microsoft CorporationMapping between users and machines in an enterprise security assessment sharing system
US20100024017A1 (en)2008-07-222010-01-28Bank Of America CorporationLocation-Based Authentication of Online Transactions Using Mobile Device
US20100077481A1 (en)2008-09-222010-03-25Microsoft CorporationCollecting and analyzing malware data
US20100100963A1 (en)2008-10-212010-04-22Flexilis, Inc.System and method for attack and malware prevention
CN101729531A (en)2009-03-162010-06-09中兴通讯股份有限公司Method, device and system of distributing network safety strategies
US20100179831A1 (en)2009-01-152010-07-15International Business Machines CorporationUniversal personal medical database access control
US7770032B2 (en)2004-04-062010-08-03Telecom Italia S.P.A.Secure logging for irrefutable administration
US20100235915A1 (en)2009-03-122010-09-16Nasir MemonUsing host symptoms, host roles, and/or host reputation for detection of host infection
US7801871B2 (en)2005-08-092010-09-21Nexsan Technologies Canada Inc.Data archiving system
US20100262688A1 (en)2009-01-212010-10-14Daniar HussainSystems, methods, and devices for detecting security vulnerabilities in ip networks
US20100330801A1 (en)2009-06-262010-12-30Hynix Semiconductor Inc.Method of Fabricating Landing Plug in Semiconductor Device
EP2284769A1 (en)2009-07-162011-02-16European Space AgencyMethod and apparatus for analyzing time series data
US20110060910A1 (en)2009-09-082011-03-10Gormish Michael JDevice enabled verifiable stroke and image based workflows
US7962495B2 (en)2006-11-202011-06-14Palantir Technologies, Inc.Creating data in a data store using a dynamic ontology
US20110202555A1 (en)2010-01-282011-08-18IT.COM, Inc.Graphical User Interfaces Supporting Method And System For Electronic Discovery Using Social Network Analysis
US20110219450A1 (en)2010-03-082011-09-08Raytheon CompanySystem And Method For Malware Detection
US20110288660A1 (en)2010-05-212011-11-24Fisher-Rosemount Systems, Inc.On-line alignment of a process analytical model with actual process operation
US20110295982A1 (en)2010-05-252011-12-01Telcordia Technologies, Inc.Societal-scale graph-based interdiction for virus propagation slowdown in telecommunications networks
US20110296003A1 (en)2010-06-012011-12-01Microsoft CorporationUser account behavior techniques
US20120079592A1 (en)2010-09-242012-03-29Verisign, Inc.Ip prioritization and scoring system for ddos detection and mitigation
US20120084866A1 (en)*2007-06-122012-04-05Stolfo Salvatore JMethods, systems, and media for measuring computer security
US20120110674A1 (en)2010-09-222012-05-03Rohyt BelaniMethods and systems for rating privacy risk of applications for smart phones and other mobile platforms
US20120110633A1 (en)2010-10-292012-05-03Electronics And Telecommunications Research InstituteApparatus for sharing security information among network domains and method thereof
US8181253B1 (en)*2011-04-192012-05-15Kaspersky Lab ZaoSystem and method for reducing security risk in computer network
US8190893B2 (en)2003-10-272012-05-29Jp Morgan Chase BankPortable security transaction protocol
US8196184B2 (en)2007-02-162012-06-05Microsoft CorporationEfficient data structures for multi-dimensional security
US20120169593A1 (en)2011-01-052012-07-05Research In Motion LimitedDefinition and handling of user input events in a web browser
US20120185419A1 (en)*2011-01-132012-07-19Qualcomm IncorporatedDetermining a dynamic user profile indicative of a user behavior context with a mobile device
US20120198489A1 (en)*2006-04-102012-08-02International Business Machines CorporationDetecting fraud using set-top box interaction behavior
US8239668B1 (en)2009-04-152012-08-07Trend Micro IncorporatedComputer security threat data collection and aggregation with user privacy protection
US20120218305A1 (en)2011-02-242012-08-30Google Inc.Systems and Methods for Manipulating User Annotations in Electronic Books
US20120254129A1 (en)2011-04-022012-10-04Recursion Software, Inc.System and method for managing sensitive data using intelligent mobile agents on a network
US20120266245A1 (en)2011-04-152012-10-18Raytheon CompanyMulti-Nodal Malware Analysis
US8295898B2 (en)2008-07-222012-10-23Bank Of America CorporationLocation based authentication of mobile device transactions
US8301904B1 (en)2008-06-242012-10-30Mcafee, Inc.System, method, and computer program product for automatically identifying potentially unwanted data as unwanted
US20120284791A1 (en)2011-05-062012-11-08The Penn State Research FoundationRobust anomaly detection and regularized domain adaptation of classifiers with application to internet packet-flows
US8312546B2 (en)2007-04-232012-11-13Mcafee, Inc.Systems, apparatus, and methods for detecting malware
US8321958B1 (en)2008-07-302012-11-27Next It CorporationDetecting presence of a subject string in a target string and security event qualification based on prior behavior by an end user of a computer system
US20120304244A1 (en)2011-05-242012-11-29Palo Alto Networks, Inc.Malware analysis system
US20120323829A1 (en)2011-06-172012-12-20Microsoft CorporationGraph-based classification based on file relationships
US20120330801A1 (en)2011-06-272012-12-27Raytheon CompanyDistributed Malware Detection
US20130019306A1 (en)2011-07-122013-01-17At&T Intellectual Property I, L.P.Remote-Assisted Malware Detection
US20130097709A1 (en)2011-10-182013-04-18Mcafee, Inc.User behavioral risk assessment
US8434150B2 (en)2011-03-242013-04-30Microsoft CorporationUsing social graphs to combat malicious attacks
US20130110876A1 (en)2011-10-282013-05-02Microsoft CorporationPermission based query processing
US8448247B2 (en)2002-03-292013-05-21Global Dataguard Inc.Adaptive behavioral intrusion detection systems and methods
US20130139268A1 (en)2011-11-282013-05-30Electronics And Telecommunications Research InstituteAgent apparatus and method for sharing anonymous identifier-based security information among security management domains
CN103281301A (en)2013-04-282013-09-04上海海事大学System and method for judging cloud safety malicious program
US8533319B2 (en)2010-06-022013-09-10Lockheed Martin CorporationMethods and systems for prioritizing network assets
US20130239217A1 (en)*2012-03-072013-09-12Cleanport, BVSystem, Method and Computer Program Product for Determining a Person's Aggregate Online Risk Score
US20130254885A1 (en)2012-03-142013-09-26Matthew G. DEVOSTSystem and method for detecting potential threats by monitoring user and system behavior associated with computer and network activity
US20130275416A1 (en)*2012-04-112013-10-17Avaya Inc.Scoring of resource groups
US8615605B2 (en)2010-10-222013-12-24Microsoft CorporationAutomatic identification of travel and non-travel network addresses
US20140013451A1 (en)2012-07-062014-01-09Sap AgData obfuscation for open data (odata) communications
US8646080B2 (en)2005-09-162014-02-04Avg Technologies Cy LimitedMethod and apparatus for removing harmful software
US20140053265A1 (en)*2012-05-232014-02-20Observable Networks, Inc.System and method for continuous device profiling
US20140059683A1 (en)2012-08-222014-02-27International Business Machines CorporationCooperative intrusion detection ecosystem for IP reputation-based security
US20140082691A1 (en)2010-02-152014-03-20Bank Of America CorporationAnomalous Activity Detection
US8683322B1 (en)2010-02-102014-03-25Socialware, Inc.Method, system and computer program product for structuring unstructured data originating from uncontrolled web application
US20140123279A1 (en)2012-10-292014-05-01Michael G. BishopDynamic quarantining for malware detection
US8726379B1 (en)2011-07-152014-05-13Norse CorporationSystems and methods for dynamic protection from electronic attacks
US20140143009A1 (en)2012-11-162014-05-22International Business Machines CorporationRisk reward estimation for company-country pairs
US20140173738A1 (en)*2012-12-182014-06-19Michael CondryUser device security profile
US20140173712A1 (en)2012-12-182014-06-19Verizon Patent And Licensing Inc.Network security system with customizable rule-based analytics engine for identifying application layer violations
US20140181968A1 (en)2012-12-202014-06-26At&T Intellectual Property I, L.P.Monitoring Operational Activities In Networks And Detecting Potential Network Intrusions And Misuses
US8769412B2 (en)*2009-11-202014-07-01Alert Enterprise, Inc.Method and apparatus for risk visualization and remediation
US20140188895A1 (en)2012-12-282014-07-03Microsoft CorporationDetecting anomalies in behavioral network with contextual side information
US8782794B2 (en)2010-04-162014-07-15Bank Of America CorporationDetecting secure or encrypted tunneling in a computer network
US20140201345A1 (en)*2013-01-152014-07-17International Business Machines CorporationManaging user privileges for computer resources in a networked computing environment
US8789140B2 (en)2003-02-142014-07-22Preventsys, Inc.System and method for interfacing with heterogeneous network data gathering tools
US20140229422A1 (en)2013-02-132014-08-14Namit JainHive table links
US20140279684A1 (en)2013-03-152014-09-18Thomson Reuters Global Resources (Trgr)System and method for determining and utilizing successful observed performance
US20140283107A1 (en)2013-03-142014-09-18Appsense LimitedSecure data management
US8881288B1 (en)2008-10-282014-11-04Intelligent Automation, Inc.Graphical models for cyber security analysis in enterprise networks
US8904506B1 (en)2011-11-232014-12-02Amazon Technologies, Inc.Dynamic account throttling
US8931043B2 (en)*2012-04-102015-01-06Mcafee Inc.System and method for determining and using local reputations of users and hosts to protect information in a network environment
US20150039565A1 (en)2013-08-012015-02-05Actiance, Inc.Unified context-aware content archive system
US20150089568A1 (en)2013-09-262015-03-26Wave Systems Corp.Device identification scoring
US9009827B1 (en)2014-02-202015-04-14Palantir Technologies Inc.Security sharing system
US9021260B1 (en)2014-07-032015-04-28Palantir Technologies Inc.Malware data item analysis
US20150128274A1 (en)2013-11-042015-05-07Crypteia Networks S.A.System and method for identifying infected networks and systems from unknown attacks
US9049117B1 (en)2009-10-212015-06-02Narus, Inc.System and method for collecting and processing information of an internet user via IP-web correlation
US20150188715A1 (en)2013-12-302015-07-02Palantir Technologies, Inc.Verifiable redactable audit log
EP2892197A1 (en)2014-01-032015-07-08Palantir Technologies, Inc.IP reputation
US20150229664A1 (en)*2014-02-132015-08-13Trevor Tyler HAWTHORNAssessing security risks of users in a computing network
US20150235152A1 (en)2014-02-182015-08-20Palo Alto Research Center IncorporatedSystem and method for modeling behavior change and consistency to detect malicious insiders
NL2011642C2 (en)2012-10-222015-08-25Palantir TechnologiesSharing data between nexuses that use different classification schemes for data access control.
US20150248563A1 (en)2014-03-032015-09-03International Business Machines CorporationRequesting instant messaging history by validated parties
US20150326601A1 (en)*2014-05-102015-11-12Informatica CorporationAssessment type-variable enterprise security impact analysis
EP2963578A1 (en)2014-07-032016-01-06Palantir Technologies, Inc.Malware data item analysis
EP2985974A1 (en)2014-08-132016-02-17Palantir Technologies, Inc.Malicious tunneling handling system
US9335897B2 (en)2013-08-082016-05-10Palantir Technologies Inc.Long click display of a context menu
US20160191532A1 (en)2014-12-292016-06-30Palantir Technologies Inc.Systems for network risk assessment including processing of user access rights associated with a network of devices
US9401925B1 (en)2013-09-122016-07-26Symantec CorporationSystems and methods for detecting security threats based on user profiles
US9407652B1 (en)2015-06-262016-08-02Palantir Technologies Inc.Network anomaly detection
US9537880B1 (en)2015-08-192017-01-03Palantir Technologies Inc.Anomalous network monitoring, user behavior detection and database system
US20170003352A1 (en)2014-01-032017-01-05Commissariat A L'energie Atomique Et Aux Energies AlternativesMethod, device and system for estimating the state of health of a battery in an electric or hybrid vehicle during operation thereof, and method for creating model for estimation of said type
US9576119B2 (en)2008-12-262017-02-21Facebook, Inc.Preventing phishing attacks based on reputation of user locations

Family Cites Families (139)

* Cited by examiner, † Cited by third party
Publication numberPriority datePublication dateAssigneeTitle
US5437032A (en)1993-11-041995-07-25International Business Machines CorporationTask scheduler for a miltiprocessor system
US5560005A (en)1994-02-251996-09-24Actamed Corp.Methods and systems for object-based relational distributed databases
US5872973A (en)1995-10-261999-02-16Viewsoft, Inc.Method for managing dynamic relations between objects in dynamic object-oriented languages
US6366933B1 (en)1995-10-272002-04-02At&T Corp.Method and apparatus for tracking and viewing changes on the web
US5897636A (en)1996-07-111999-04-27Tandem Corporation IncorporatedDistributed object computer system with hierarchical name space versioning
US6477527B2 (en)1997-05-092002-11-05International Business Machines CorporationSystem, method, and program for object building in queries over object views
US6073129A (en)1997-12-292000-06-06Bull Hn Information Systems Inc.Method and apparatus for improving the performance of a database management system through a central cache mechanism
US6510504B2 (en)1998-06-292003-01-21Oracle CorporationMethods and apparatus for memory allocation for object instances in an object-oriented software environment
US6243717B1 (en)1998-09-012001-06-05Camstar Systems, Inc.System and method for implementing revision management of linked data entities and user dependent terminology
US6161098A (en)1998-09-142000-12-12Folio (Fn), Inc.Method and apparatus for enabling small investors with a portfolio of securities to manage taxable events within the portfolio
US6418438B1 (en)1998-12-162002-07-09Microsoft CorporationDynamic scalable lock mechanism
US7111231B1 (en)1999-02-242006-09-19Intellisync CorporationSystem and methodology for dynamic application environment employing runtime execution templates
US6574635B2 (en)1999-03-032003-06-03Siebel Systems, Inc.Application instantiation based upon attributes and values stored in a meta data repository, including tiering of application layers objects and components
US6304873B1 (en)1999-07-062001-10-16Compaq Computer CorporationSystem and method for performing database operations and for skipping over tuples locked in an incompatible mode
US6560620B1 (en)1999-08-032003-05-06Aplix Research, Inc.Hierarchical document comparison system and method
US6976210B1 (en)1999-08-312005-12-13Lucent Technologies Inc.Method and apparatus for web-site-independent personalization from multiple sites having user-determined extraction functionality
US7630986B1 (en)1999-10-272009-12-08Pinpoint, IncorporatedSecure data interchange
US7216115B1 (en)1999-11-102007-05-08Fastcase.Com, Inc.Apparatus and method for displaying records responsive to a database query
US7194680B1 (en)1999-12-072007-03-20Adobe Systems IncorporatedFormatting content by example
US20040117387A1 (en)2000-02-252004-06-17Vincent CivettaDatabase sizing and diagnostic utility
US6745382B1 (en)2000-04-132004-06-01Worldcom, Inc.CORBA wrappers for rules automation technology
DE60124657T2 (en)2000-11-082007-10-18International Business Machines Corp. Reduction of exclusion conflicts in SQL transactions
US7058648B1 (en)2000-12-012006-06-06Oracle International CorporationHierarchy-based secured document repository
US20060265397A1 (en)2001-03-062006-11-23Knowledge Vector, Inc.Methods, systems, and computer program products for extensible, profile-and context-based information correlation, routing and distribution
JP3842573B2 (en)2001-03-302006-11-08株式会社東芝 Structured document search method, structured document management apparatus and program
US6980984B1 (en)2001-05-162005-12-27Kanisa, Inc.Content provider systems and methods using structured data
JP4237055B2 (en)2001-09-282009-03-11ファイバーリンク コミュニケーションズ コーポレーション Client-side network access policy and management application
US6877136B2 (en)2001-10-262005-04-05United Services Automobile Association (Usaa)System and method of providing electronic access to one or more documents
US7475242B2 (en)2001-12-182009-01-06Hewlett-Packard Development Company, L.P.Controlling the distribution of information
US7426559B2 (en)2002-05-092008-09-16International Business Machines CorporationMethod for sequential coordination of external database application events with asynchronous internal database events
US7539680B2 (en)2002-05-102009-05-26Lsi CorporationRevision control for database of evolved design
US7461158B2 (en)2002-08-072008-12-02Intelliden, Inc.System and method for controlling access rights to network resources
US7076508B2 (en)2002-08-122006-07-11International Business Machines CorporationMethod, system, and program for merging log entries from multiple recovery log files
AU2003284118A1 (en)2002-10-142004-05-04Battelle Memorial InstituteInformation reservoir
US20040078251A1 (en)2002-10-162004-04-22Demarcken Carl G.Dividing a travel query into sub-queries
US20040148301A1 (en)2003-01-242004-07-29Mckay Christopher W.T.Compressed data structure for a database
US7139772B2 (en)2003-08-012006-11-21Oracle International CorporationOwnership reassignment in a shared-nothing database system
US8627489B2 (en)2003-10-312014-01-07Adobe Systems IncorporatedDistributed document version control
US7324995B2 (en)2003-11-172008-01-29Rackable Systems Inc.Method for retrieving and modifying data elements on a shared medium
WO2006002234A2 (en)2004-06-222006-01-05Coras, Inc.Systems and methods for software based on business concepts
WO2006018843A2 (en)2004-08-162006-02-23Beinsync Ltd.A system and method for the synchronization of data across multiple computing devices
US20060074881A1 (en)2004-10-022006-04-06Adventnet, Inc.Structure independent searching in disparate databases
US20060080316A1 (en)2004-10-082006-04-13Meridio LtdMultiple indexing of an electronic document to selectively permit access to the content and metadata thereof
GB0422750D0 (en)2004-10-132004-11-17Ciphergrid LtdRemote database technique
US7574409B2 (en)2004-11-042009-08-11Vericept CorporationMethod, apparatus, and system for clustering and classification
US7418461B2 (en)2005-01-142008-08-26Microsoft CorporationSchema conformance for database servers
US8200700B2 (en)2005-02-012012-06-12Newsilike Media Group, IncSystems and methods for use of structured and unstructured distributed data
US8271436B2 (en)2005-02-072012-09-18Mimosa Systems, Inc.Retro-fitting synthetic full copies of data
US20060242630A1 (en)2005-03-092006-10-26Maxis Co., Ltd.Process for preparing design procedure document and apparatus for the same
US7725728B2 (en)2005-03-232010-05-25Business Objects Data Integration, Inc.Apparatus and method for dynamically auditing data migration to produce metadata
US20060218491A1 (en)2005-03-252006-09-28International Business Machines CorporationSystem, method and program product for community review of documents
US8145686B2 (en)2005-05-062012-03-27Microsoft CorporationMaintenance of link level consistency between database and file system
US20070050429A1 (en)2005-08-262007-03-01Centric Software, Inc.Time-range locking for temporal database and branched-and-temporal databases
US8032885B2 (en)2005-10-112011-10-04Oracle International CorporationMethod and medium for combining operation commands into database submission groups
US8185819B2 (en)2005-12-122012-05-22Google Inc.Module specification for a module to be incorporated into a container document
US7730082B2 (en)2005-12-122010-06-01Google Inc.Remote module incorporation into a container document
US7725530B2 (en)2005-12-122010-05-25Google Inc.Proxy server collection of data for module incorporation into a container document
US7730109B2 (en)2005-12-122010-06-01Google, Inc.Message catalogs for remote modules
US7792809B2 (en)2005-12-192010-09-07Tera data US, Inc.Database system
US7606844B2 (en)2005-12-192009-10-20Commvault Systems, Inc.System and method for performing replication copy storage operations
WO2007100298A1 (en)2006-03-032007-09-07Donya Research AbCreation and rendering of hierarchical digital multimedia data
US7752123B2 (en)2006-04-282010-07-06Townsend Analytics Ltd.Order management system and method for electronic securities trading
EP3493074A1 (en)2006-10-052019-06-05Splunk Inc.Time series search engine
US7840525B2 (en)2006-10-112010-11-23Ruby Jonathan PExtended transactions
US8229902B2 (en)2006-11-012012-07-24Ab Initio Technology LlcManaging storage of individually accessible data units
US7792868B2 (en)2006-11-102010-09-07Microsoft CorporationData object linking and browsing tool
US8126848B2 (en)2006-12-072012-02-28Robert Edward WagnerAutomated method for identifying and repairing logical data discrepancies between database replicas in a database cluster
US8930331B2 (en)2007-02-212015-01-06Palantir TechnologiesProviding unique views of data based on changes or rules
US7873557B2 (en)2007-02-282011-01-18Aaron GuidottiInformation, document, and compliance management for financial professionals, clients, and supervisors
US20090164387A1 (en)2007-04-172009-06-25Semandex Networks Inc.Systems and methods for providing semantically enhanced financial information
US7644238B2 (en)2007-06-012010-01-05Microsoft CorporationTimestamp based transactional memory
US9489216B2 (en)2007-07-262016-11-08Sap SeActive tiled user interface
US20090106308A1 (en)2007-10-182009-04-23Christopher KillianComplexity estimation of data objects
US8010886B2 (en)2008-01-042011-08-30Microsoft CorporationIntelligently representing files in a view
JP4585579B2 (en)2008-04-242010-11-24株式会社日立製作所 Data management method, data management program, and data management apparatus
US8688622B2 (en)2008-06-022014-04-01The Boeing CompanyMethods and systems for loading data into a temporal data warehouse
US8301593B2 (en)2008-06-122012-10-30Gravic, Inc.Mixed mode synchronous and asynchronous replication system
US7962458B2 (en)2008-06-122011-06-14Gravic, Inc.Method for replicating explicit locks in a data replication engine
FI127113B (en)2008-06-172017-11-15Tekla Corp Data search
US8429614B2 (en)2008-06-232013-04-23International Business Machines CorporationMethod and apparatus of effective functional test data generation for web service testing
US8037040B2 (en)2008-08-082011-10-11Oracle International CorporationGenerating continuous query notifications
JP4612715B2 (en)2008-09-052011-01-12株式会社日立製作所 Information processing system, data update method, and data update program
US8041714B2 (en)2008-09-152011-10-18Palantir Technologies, Inc.Filter chains with associated views for exploring large data sets
US20100114887A1 (en)2008-10-172010-05-06Google Inc.Textual Disambiguation Using Social Connections
US8306947B2 (en)2008-10-302012-11-06Hewlett-Packard Development Company, L.P.Replication of operations on objects distributed in a storage system
US7974943B2 (en)2008-10-302011-07-05Hewlett-Packard Development Company, L.P.Building a synchronized target database
US10002161B2 (en)2008-12-032018-06-19Sap SeMultithreading and concurrency control for a rule-based transaction engine
US8204859B2 (en)2008-12-102012-06-19Commvault Systems, Inc.Systems and methods for managing replicated database data
KR101207510B1 (en)2008-12-182012-12-03한국전자통신연구원Cluster Data Management System And Method for Data Restoring Using Shared Read-Only Log in Cluster Data Management System
EP2380101B1 (en)2008-12-222019-10-30Google LLCAsynchronous distributed garbage collection for replicated storage clusters
EP2221733A1 (en)2009-02-172010-08-25AMADEUS sasMethod allowing validation in a production database of new entered data prior to their release
US8886689B2 (en)2009-02-172014-11-11Trane U.S. Inc.Efficient storage of data allowing for multiple level granularity retrieval
US8078825B2 (en)2009-03-112011-12-13Oracle America, Inc.Composite hash and list partitioning of database tables
US10290053B2 (en)2009-06-122019-05-14Guardian Analytics, Inc.Fraud detection and analysis
CA2709498A1 (en)2009-07-102011-01-10Xkoto Inc.System and method for subunit operations in a database
US20110047540A1 (en)2009-08-242011-02-24Embarcadero Technologies Inc.System and Methodology for Automating Delivery, Licensing, and Availability of Software Products
US20110184813A1 (en)2009-09-142011-07-28Cbs Interactive, Inc.Targeting offers to users of a web site
US10027711B2 (en)*2009-11-202018-07-17Alert Enterprise, Inc.Situational intelligence
US8572023B2 (en)2010-04-142013-10-29Bank Of America CorporationData services framework workflow processing
US10198463B2 (en)2010-04-162019-02-05Salesforce.Com, Inc.Methods and systems for appending data to large data volumes in a multi-tenant store
US9298768B2 (en)2010-07-212016-03-29Sqream Technologies LtdSystem and method for the parallel execution of database queries over CPUs and multi core processors
US8661335B2 (en)2010-09-202014-02-25Blackberry LimitedMethods and systems for identifying content elements
CN102467596B (en)2010-11-152016-09-21商业对象软件有限公司Instrument board evaluator
US20120136804A1 (en)2010-11-302012-05-31Raymond J. Lucia, SR.Wealth Management System and Method
US9378294B2 (en)2010-12-172016-06-28Microsoft Technology Licensing, LlcPresenting source regions of rendered source web pages in target regions of target web pages
US9129257B2 (en)*2010-12-202015-09-08Verizon Patent And Licensing Inc.Method and system for monitoring high risk users
US8935383B2 (en)2010-12-312015-01-13Verisign, Inc.Systems, apparatus, and methods for network data analysis
WO2012141199A1 (en)*2011-04-112012-10-18クラリオン株式会社Position calculation method and position calculation device
US8799240B2 (en)2011-06-232014-08-05Palantir Technologies, Inc.System and method for investigating large amounts of data
US9092482B2 (en)2013-03-142015-07-28Palantir Technologies, Inc.Fair scheduling for mixed-query loads
US9280532B2 (en)2011-08-022016-03-08Palantir Technologies, Inc.System and method for accessing rich objects via spreadsheets
US8504542B2 (en)2011-09-022013-08-06Palantir Technologies, Inc.Multi-row transactions
US20130091052A1 (en)2011-10-072013-04-11Paal KaperdalSystems and methods for generating new accounts with a financial institution
US8849776B2 (en)2011-10-172014-09-30Yahoo! Inc.Method and system for resolving data inconsistency
US20130151388A1 (en)2011-12-122013-06-13Visa International Service AssociationSystems and methods to identify affluence levels of accounts
US9185095B1 (en)*2012-03-202015-11-10United Services Automobile Association (Usaa)Behavioral profiling method and system to authenticate a user
US20150047026A1 (en)2012-03-222015-02-12Los Alamos National Security, LlcAnomaly detection to identify coordinated group attacks in computer networks
EP2662782A1 (en)2012-05-102013-11-13Siemens AktiengesellschaftMethod and system for storing data in a database
US20140149272A1 (en)2012-08-172014-05-29Trueex Group LlcInteroffice bank offered rate financial product and implementation
US8676857B1 (en)2012-08-232014-03-18International Business Machines CorporationContext-based search for a data store related to a graph node
US8856057B2 (en)*2012-09-132014-10-07James Albert IonsonCognitive security system and method
US9392463B2 (en)*2012-12-202016-07-12Tarun AnandSystem and method for detecting anomaly in a handheld device
US9195506B2 (en)2012-12-212015-11-24International Business Machines CorporationProcessor provisioning by a middleware processing system for a plurality of logical processor partitions
US9356948B2 (en)*2013-02-082016-05-31PhishMe, Inc.Collaborative phishing attack detection
US9230280B1 (en)2013-03-152016-01-05Palantir Technologies Inc.Clustering data based on indications of financial malfeasance
US9229991B2 (en)*2013-04-192016-01-05Palo Alto Research Center IncorporatedComputer-implemented system and method for exploring and filtering an information space based on attributes via an interactive display
US9904852B2 (en)*2013-05-232018-02-27Sri InternationalReal-time object detection, tracking and occlusion reasoning
US9787760B2 (en)2013-09-242017-10-10Chad FolkeningPlatform for building virtual entities using equity systems
US9367809B2 (en)*2013-10-112016-06-14Accenture Global Services LimitedContextual graph matching based anomaly detection
US9116975B2 (en)2013-10-182015-08-25Palantir Technologies Inc.Systems and user interfaces for dynamic and interactive simultaneous querying of multiple data stores
US9043696B1 (en)2014-01-032015-05-26Palantir Technologies Inc.Systems and methods for visual definition of data associations
US9836502B2 (en)2014-01-302017-12-05Splunk Inc.Panel templates for visualization of data within an interactive dashboard
US9454281B2 (en)2014-09-032016-09-27Palantir Technologies Inc.System for providing dynamic linked panels in user interface
US20160099960A1 (en)*2014-10-012016-04-07Infocyte, Inc.System and method for scanning hosts using an autonomous, self-destructing payload
US9335911B1 (en)2014-12-292016-05-10Palantir Technologies Inc.Interactive user interface for dynamic data analysis exploration and query processing
US20160292599A1 (en)*2015-04-062016-10-06Fmr LlcAnalyzing and remediating operational risks in production computing systems
US9454564B1 (en)2015-09-092016-09-27Palantir Technologies Inc.Data integrity checks
US10044745B1 (en)2015-10-122018-08-07Palantir Technologies, Inc.Systems for computer network security risk assessment including user compromise analysis associated with a network of devices
GB201621434D0 (en)2016-12-162017-02-01Palantir Technologies IncProcessing sensor logs

Patent Citations (162)

* Cited by examiner, † Cited by third party
Publication numberPriority datePublication dateAssigneeTitle
US5978475A (en)1997-07-181999-11-02Counterpane Internet Security, Inc.Event auditing system
US20020112157A1 (en)1997-09-222002-08-15Proofspace, Inc.System and method for widely witnessed proof of time
US7017046B2 (en)1997-09-222006-03-21Proofspace, Inc.System and method for graphical indicia for the certification of records
US6253203B1 (en)1998-10-022001-06-26Ncr CorporationPrivacy-enhanced database
US7069586B1 (en)2000-04-032006-06-27Software Secure, Inc.Securely executing an application on a computer system
US6725240B1 (en)2000-08-082004-04-20International Business Machines CorporationApparatus and method for protecting against data tampering in an audit subsystem
US6807569B1 (en)2000-09-122004-10-19Science Applications International CorporationTrusted and anonymous system and method for sharing threat data to industry assets
US20060179003A1 (en)2000-11-072006-08-10Enfotrust Networks, Inc.Consumer-controlled limited and constrained access to a centrally stored information account
US7013395B1 (en)2001-03-132006-03-14Sandra CorporationMethod and tool for network vulnerability analysis
US20050229256A2 (en)2001-12-312005-10-13Citadel Security Software Inc.Automated Computer Vulnerability Resolution System
US20060265747A1 (en)2002-03-082006-11-23Ciphertrust, Inc.Systems and Methods For Message Threat Management
US8448247B2 (en)2002-03-292013-05-21Global Dataguard Inc.Adaptive behavioral intrusion detection systems and methods
US20060156407A1 (en)2002-09-302006-07-13Cummins Fred AComputer model of security risks
US7472421B2 (en)2002-09-302008-12-30Electronic Data Systems CorporationComputer model of security risks
US20080005555A1 (en)2002-10-012008-01-03Amnon LotemSystem, method and computer readable medium for evaluating potential attacks of worms
US20040123139A1 (en)2002-12-182004-06-24At&T Corp.System having filtering/monitoring of secure connections
US20040153418A1 (en)2003-02-052004-08-05Hanweck Gerald AlfredSystem and method for providing access to data from proprietary tools
US8789140B2 (en)2003-02-142014-07-22Preventsys, Inc.System and method for interfacing with heterogeneous network data gathering tools
US20050275638A1 (en)2003-03-282005-12-15Microsoft CorporationDynamic feedback for gestures
US20040250124A1 (en)2003-05-192004-12-09Vsecure Technologies (Us) Inc.Dynamic network protection
US20060069912A1 (en)2003-05-302006-03-30Yuliang ZhengSystems and methods for enhanced network security
WO2005010685A2 (en)2003-07-182005-02-03Corestreet, Ltd.Controlling access to an area
US8190893B2 (en)2003-10-272012-05-29Jp Morgan Chase BankPortable security transaction protocol
US20050125295A1 (en)2003-12-092005-06-09Tidwell Lisa C.Systems and methods for obtaining payor information at a point of sale
US7287689B2 (en)2003-12-092007-10-30First Data CorporationSystems and methods for assessing the risk of a financial transaction using authenticating marks
US20050157662A1 (en)*2004-01-202005-07-21Justin BinghamSystems and methods for detecting a compromised network
US7596285B2 (en)2004-02-262009-09-29International Business Machines CorporationProviding a portion of an electronic mail message at a reduced resolution
US7770032B2 (en)2004-04-062010-08-03Telecom Italia S.P.A.Secure logging for irrefutable administration
EP1589716A1 (en)2004-04-202005-10-26Ecole Polytechnique Fédérale de Lausanne (EPFL)Method of detecting anomalous behaviour in a computer network
US20050262556A1 (en)2004-05-072005-11-24Nicolas WaismanMethods and apparatus for computer network security using intrusion detection and prevention
US7225468B2 (en)2004-05-072007-05-29Digital Security Networks, LlcMethods and apparatus for computer network security using intrusion detection and prevention
US20060021049A1 (en)2004-07-222006-01-26Cook Chad LTechniques for identifying vulnerabilities in a network
US20060031928A1 (en)2004-08-092006-02-09Conley James WDetector and computerized method for determining an occurrence of tunneling activity
US20060212931A1 (en)2005-03-022006-09-21Markmonitor, Inc.Trust evaluation systems and methods
US20060218637A1 (en)2005-03-242006-09-28Microsoft CorporationSystem and method of selectively scanning a file on a computing device for malware
US20060265324A1 (en)2005-05-182006-11-23AlcatelSecurity risk analysis systems and methods
US20060265751A1 (en)2005-05-182006-11-23AlcatelCommunication network security risk exposure management systems and methods
US7801871B2 (en)2005-08-092010-09-21Nexsan Technologies Canada Inc.Data archiving system
US8646080B2 (en)2005-09-162014-02-04Avg Technologies Cy LimitedMethod and apparatus for removing harmful software
US20070067846A1 (en)2005-09-222007-03-22AlcatelSystems and methods of associating security vulnerabilities and assets
US20130254833A1 (en)2005-12-212013-09-26Fiberlink Communications CorporationMethods and systems for controlling access to computing resources based on known security vulnerabilities
US20070143851A1 (en)2005-12-212007-06-21FiberlinkMethod and systems for controlling access to computing resources based on known security vulnerabilities
US20070214115A1 (en)2006-03-132007-09-13Microsoft CorporationEvent detection based on evolution of click-through data
US20120198489A1 (en)*2006-04-102012-08-02International Business Machines CorporationDetecting fraud using set-top box interaction behavior
US20080082380A1 (en)2006-05-192008-04-03Stephenson Peter RMethod for evaluating system risk
US20070294766A1 (en)2006-06-142007-12-20Microsoft CorporationEnterprise threat modeling
US20080104407A1 (en)2006-10-312008-05-01Hewlett-Packard Development Company, L.P.Audit-log integrity using redactable signatures
US7962495B2 (en)2006-11-202011-06-14Palantir Technologies, Inc.Creating data in a data store using a dynamic ontology
US8196184B2 (en)2007-02-162012-06-05Microsoft CorporationEfficient data structures for multi-dimensional security
EP1962222A2 (en)2007-02-212008-08-27Ricoh Company, Ltd.Trustworthy timestamps and certifiable clocks using logs linked by cryptographic hashes
US20080201580A1 (en)2007-02-212008-08-21Stephen SavitzkyTrustworthy timestamps and certifiable clocks using logs linked by cryptographic hashes
US20080222706A1 (en)*2007-03-062008-09-11Martin RenaudGlobally aware authentication system
US20080229422A1 (en)2007-03-142008-09-18Microsoft CorporationEnterprise security assessment sharing
US8312546B2 (en)2007-04-232012-11-13Mcafee, Inc.Systems, apparatus, and methods for detecting malware
US20120084866A1 (en)*2007-06-122012-04-05Stolfo Salvatore JMethods, systems, and media for measuring computer security
US20090103442A1 (en)2007-09-282009-04-23Richard DouvilleCommunicating risk information within a multi-domain network
US20090228701A1 (en)2008-03-042009-09-10Industrial Technology Research InstituteLogging system and method based on one-way hash function
US20090292743A1 (en)2008-05-212009-11-26Bigus Joseph PModeling user access to computer resources
US8301904B1 (en)2008-06-242012-10-30Mcafee, Inc.System, method, and computer program product for automatically identifying potentially unwanted data as unwanted
US20090328222A1 (en)2008-06-252009-12-31Microsoft CorporationMapping between users and machines in an enterprise security assessment sharing system
US8295898B2 (en)2008-07-222012-10-23Bank Of America CorporationLocation based authentication of mobile device transactions
US20100024017A1 (en)2008-07-222010-01-28Bank Of America CorporationLocation-Based Authentication of Online Transactions Using Mobile Device
US8321958B1 (en)2008-07-302012-11-27Next It CorporationDetecting presence of a subject string in a target string and security event qualification based on prior behavior by an end user of a computer system
US20100077481A1 (en)2008-09-222010-03-25Microsoft CorporationCollecting and analyzing malware data
US20100100963A1 (en)2008-10-212010-04-22Flexilis, Inc.System and method for attack and malware prevention
US8881288B1 (en)2008-10-282014-11-04Intelligent Automation, Inc.Graphical models for cyber security analysis in enterprise networks
US9576119B2 (en)2008-12-262017-02-21Facebook, Inc.Preventing phishing attacks based on reputation of user locations
US20100179831A1 (en)2009-01-152010-07-15International Business Machines CorporationUniversal personal medical database access control
US20100262688A1 (en)2009-01-212010-10-14Daniar HussainSystems, methods, and devices for detecting security vulnerabilities in ip networks
US20100235915A1 (en)2009-03-122010-09-16Nasir MemonUsing host symptoms, host roles, and/or host reputation for detection of host infection
CN101729531A (en)2009-03-162010-06-09中兴通讯股份有限公司Method, device and system of distributing network safety strategies
US8239668B1 (en)2009-04-152012-08-07Trend Micro IncorporatedComputer security threat data collection and aggregation with user privacy protection
US20100330801A1 (en)2009-06-262010-12-30Hynix Semiconductor Inc.Method of Fabricating Landing Plug in Semiconductor Device
EP2284769A1 (en)2009-07-162011-02-16European Space AgencyMethod and apparatus for analyzing time series data
US20110060910A1 (en)2009-09-082011-03-10Gormish Michael JDevice enabled verifiable stroke and image based workflows
US9049117B1 (en)2009-10-212015-06-02Narus, Inc.System and method for collecting and processing information of an internet user via IP-web correlation
US8769412B2 (en)*2009-11-202014-07-01Alert Enterprise, Inc.Method and apparatus for risk visualization and remediation
US20110202555A1 (en)2010-01-282011-08-18IT.COM, Inc.Graphical User Interfaces Supporting Method And System For Electronic Discovery Using Social Network Analysis
US8683322B1 (en)2010-02-102014-03-25Socialware, Inc.Method, system and computer program product for structuring unstructured data originating from uncontrolled web application
US20140082691A1 (en)2010-02-152014-03-20Bank Of America CorporationAnomalous Activity Detection
US20110219450A1 (en)2010-03-082011-09-08Raytheon CompanySystem And Method For Malware Detection
US8782794B2 (en)2010-04-162014-07-15Bank Of America CorporationDetecting secure or encrypted tunneling in a computer network
US20110288660A1 (en)2010-05-212011-11-24Fisher-Rosemount Systems, Inc.On-line alignment of a process analytical model with actual process operation
US20110295982A1 (en)2010-05-252011-12-01Telcordia Technologies, Inc.Societal-scale graph-based interdiction for virus propagation slowdown in telecommunications networks
US20110296003A1 (en)2010-06-012011-12-01Microsoft CorporationUser account behavior techniques
US8533319B2 (en)2010-06-022013-09-10Lockheed Martin CorporationMethods and systems for prioritizing network assets
US20120110674A1 (en)2010-09-222012-05-03Rohyt BelaniMethods and systems for rating privacy risk of applications for smart phones and other mobile platforms
US20120079592A1 (en)2010-09-242012-03-29Verisign, Inc.Ip prioritization and scoring system for ddos detection and mitigation
US8615605B2 (en)2010-10-222013-12-24Microsoft CorporationAutomatic identification of travel and non-travel network addresses
US20120110633A1 (en)2010-10-292012-05-03Electronics And Telecommunications Research InstituteApparatus for sharing security information among network domains and method thereof
US20120169593A1 (en)2011-01-052012-07-05Research In Motion LimitedDefinition and handling of user input events in a web browser
US20120185419A1 (en)*2011-01-132012-07-19Qualcomm IncorporatedDetermining a dynamic user profile indicative of a user behavior context with a mobile device
US20120218305A1 (en)2011-02-242012-08-30Google Inc.Systems and Methods for Manipulating User Annotations in Electronic Books
US8434150B2 (en)2011-03-242013-04-30Microsoft CorporationUsing social graphs to combat malicious attacks
US20120254129A1 (en)2011-04-022012-10-04Recursion Software, Inc.System and method for managing sensitive data using intelligent mobile agents on a network
US20120266245A1 (en)2011-04-152012-10-18Raytheon CompanyMulti-Nodal Malware Analysis
US8181253B1 (en)*2011-04-192012-05-15Kaspersky Lab ZaoSystem and method for reducing security risk in computer network
US20120284791A1 (en)2011-05-062012-11-08The Penn State Research FoundationRobust anomaly detection and regularized domain adaptation of classifiers with application to internet packet-flows
US20120304244A1 (en)2011-05-242012-11-29Palo Alto Networks, Inc.Malware analysis system
US20120323829A1 (en)2011-06-172012-12-20Microsoft CorporationGraph-based classification based on file relationships
US20120330801A1 (en)2011-06-272012-12-27Raytheon CompanyDistributed Malware Detection
US20130019306A1 (en)2011-07-122013-01-17At&T Intellectual Property I, L.P.Remote-Assisted Malware Detection
US20140366132A1 (en)2011-07-152014-12-11Norse CorporationSystems and Methods for Dynamic Protection from Electronic Attacks
US8726379B1 (en)2011-07-152014-05-13Norse CorporationSystems and methods for dynamic protection from electronic attacks
US20130097709A1 (en)2011-10-182013-04-18Mcafee, Inc.User behavioral risk assessment
US20130110876A1 (en)2011-10-282013-05-02Microsoft CorporationPermission based query processing
US8904506B1 (en)2011-11-232014-12-02Amazon Technologies, Inc.Dynamic account throttling
US20130139268A1 (en)2011-11-282013-05-30Electronics And Telecommunications Research InstituteAgent apparatus and method for sharing anonymous identifier-based security information among security management domains
US20130239217A1 (en)*2012-03-072013-09-12Cleanport, BVSystem, Method and Computer Program Product for Determining a Person's Aggregate Online Risk Score
US20130254885A1 (en)2012-03-142013-09-26Matthew G. DEVOSTSystem and method for detecting potential threats by monitoring user and system behavior associated with computer and network activity
US8931043B2 (en)*2012-04-102015-01-06Mcafee Inc.System and method for determining and using local reputations of users and hosts to protect information in a network environment
US20130275416A1 (en)*2012-04-112013-10-17Avaya Inc.Scoring of resource groups
US20140053265A1 (en)*2012-05-232014-02-20Observable Networks, Inc.System and method for continuous device profiling
US20140013451A1 (en)2012-07-062014-01-09Sap AgData obfuscation for open data (odata) communications
US20140059683A1 (en)2012-08-222014-02-27International Business Machines CorporationCooperative intrusion detection ecosystem for IP reputation-based security
NL2011642C2 (en)2012-10-222015-08-25Palantir TechnologiesSharing data between nexuses that use different classification schemes for data access control.
US20150261847A1 (en)2012-10-222015-09-17Palantir Technologies, Inc.Sharing information between nexuses that use different classification schemes for information access control
US20140123279A1 (en)2012-10-292014-05-01Michael G. BishopDynamic quarantining for malware detection
US20140143009A1 (en)2012-11-162014-05-22International Business Machines CorporationRisk reward estimation for company-country pairs
US20140173712A1 (en)2012-12-182014-06-19Verizon Patent And Licensing Inc.Network security system with customizable rule-based analytics engine for identifying application layer violations
US20140173738A1 (en)*2012-12-182014-06-19Michael CondryUser device security profile
US20140181968A1 (en)2012-12-202014-06-26At&T Intellectual Property I, L.P.Monitoring Operational Activities In Networks And Detecting Potential Network Intrusions And Misuses
US20140188895A1 (en)2012-12-282014-07-03Microsoft CorporationDetecting anomalies in behavioral network with contextual side information
US20140201345A1 (en)*2013-01-152014-07-17International Business Machines CorporationManaging user privileges for computer resources in a networked computing environment
US20140229422A1 (en)2013-02-132014-08-14Namit JainHive table links
US20140283107A1 (en)2013-03-142014-09-18Appsense LimitedSecure data management
US20140279684A1 (en)2013-03-152014-09-18Thomson Reuters Global Resources (Trgr)System and method for determining and utilizing successful observed performance
CN103281301A (en)2013-04-282013-09-04上海海事大学System and method for judging cloud safety malicious program
US20150039565A1 (en)2013-08-012015-02-05Actiance, Inc.Unified context-aware content archive system
US9335897B2 (en)2013-08-082016-05-10Palantir Technologies Inc.Long click display of a context menu
US9401925B1 (en)2013-09-122016-07-26Symantec CorporationSystems and methods for detecting security threats based on user profiles
US20150089568A1 (en)2013-09-262015-03-26Wave Systems Corp.Device identification scoring
US9319419B2 (en)2013-09-262016-04-19Wave Systems Corp.Device identification scoring
US20150128274A1 (en)2013-11-042015-05-07Crypteia Networks S.A.System and method for identifying infected networks and systems from unknown attacks
EP2897051A2 (en)2013-12-302015-07-22Palantir Technologies, Inc.Verifiable audit log
US20150188715A1 (en)2013-12-302015-07-02Palantir Technologies, Inc.Verifiable redactable audit log
US9338013B2 (en)2013-12-302016-05-10Palantir Technologies Inc.Verifiable redactable audit log
US9100428B1 (en)2014-01-032015-08-04Palantir Technologies Inc.System and method for evaluating network threats
EP2892197A1 (en)2014-01-032015-07-08Palantir Technologies, Inc.IP reputation
US20170003352A1 (en)2014-01-032017-01-05Commissariat A L'energie Atomique Et Aux Energies AlternativesMethod, device and system for estimating the state of health of a battery in an electric or hybrid vehicle during operation thereof, and method for creating model for estimation of said type
US20160028759A1 (en)2014-01-032016-01-28Palantir Technologies Inc.System and method for evaluating network threats and usage
US20150229664A1 (en)*2014-02-132015-08-13Trevor Tyler HAWTHORNAssessing security risks of users in a computing network
US20150235152A1 (en)2014-02-182015-08-20Palo Alto Research Center IncorporatedSystem and method for modeling behavior change and consistency to detect malicious insiders
US9009827B1 (en)2014-02-202015-04-14Palantir Technologies Inc.Security sharing system
US20150248563A1 (en)2014-03-032015-09-03International Business Machines CorporationRequesting instant messaging history by validated parties
US20150326601A1 (en)*2014-05-102015-11-12Informatica CorporationAssessment type-variable enterprise security impact analysis
EP2963578A1 (en)2014-07-032016-01-06Palantir Technologies, Inc.Malware data item analysis
US20160004864A1 (en)2014-07-032016-01-07Palantir Technologies Inc.Malware data item analysis
US9021260B1 (en)2014-07-032015-04-28Palantir Technologies Inc.Malware data item analysis
US20180159874A1 (en)2014-08-132018-06-07Palantir Technologies Inc.Unwanted tunneling alert system
US9419992B2 (en)2014-08-132016-08-16Palantir Technologies Inc.Unwanted tunneling alert system
US20160050224A1 (en)2014-08-132016-02-18Palantir Technologies Inc.Unwanted tunneling alert system
EP2985974A1 (en)2014-08-132016-02-17Palantir Technologies, Inc.Malicious tunneling handling system
US9930055B2 (en)2014-08-132018-03-27Palantir Technologies Inc.Unwanted tunneling alert system
US20160191532A1 (en)2014-12-292016-06-30Palantir Technologies Inc.Systems for network risk assessment including processing of user access rights associated with a network of devices
US9407652B1 (en)2015-06-262016-08-02Palantir Technologies Inc.Network anomaly detection
EP3110104A1 (en)2015-06-262016-12-28Palantir Technologies, Inc.Improved network anomaly detection
US20170099311A1 (en)2015-06-262017-04-06Palantir Technologies Inc.Network anomaly detection
US9628500B1 (en)2015-06-262017-04-18Palantir Technologies Inc.Network anomaly detection
US20170195354A1 (en)2015-06-262017-07-06Palantir Technologies Inc.Network anomaly detection
US9537880B1 (en)2015-08-192017-01-03Palantir Technologies Inc.Anomalous network monitoring, user behavior detection and database system
EP3133522A1 (en)2015-08-192017-02-22Palantir Technologies, Inc.Anomalous network monitoring, user behavior detection and database system

Non-Patent Citations (66)

* Cited by examiner, † Cited by third party
Title
Baker et al., "The Development of a Common Enumeration of Vulnerabilities and Exposures," Presented at the Second International Workshop on Recent Advances in Intrusion Detection, Sep. 7-9, 1999, pp. 35.
Bhuyan et al., "Network Anomaly Detection: Methods, Systems and Tools," First Quarter 2014, IEEE, in 34 pages.
Crosby et al., "Efficient Data Structures for Tamper-Evident Logging," Department of Computer Science, Rice University, 2009, pp. 17.
FireEye, <http://www.fireeye.com/> Printed Jun. 30, 2014 in 2 pages.
FireEye-Products and Solutions Overview, <http://www.fireeye.com/products-and-solutions> Printed Jun. 30, 2014 in 3 pages.
FireEye—Products and Solutions Overview, <http://www.fireeye.com/products-and-solutions> Printed Jun. 30, 2014 in 3 pages.
Glaab et al., "EnrichNet: Network-Based Gene Set Enrichment Analysis," Bioinformatics 28.18 (2012): pp. i451-i457.
Huang et al., "Systematic and Integrative Analysis of Large Gene Lists Using DAVID Bioinformatics Resources," Nature Protocols, 4.1, 2008, 44-57.
Hur et al., "SciMiner: web-based literature mining tool for target identification and functional enrichment analysis," Bioinformatics 25.6 (2009): pp. 838-840.
Lee et al., "A Data Mining and CIDF Based Approach for Detecting Novel and Distributed Intrusions," Lecture Notes in Computer Science, vol. 1907 Nov. 11, 2000, pp. 49-65.
Ma et al., "A New Approach to Secure Logging," ACM Transactions on Storage, vol. 5, No. 1, Article 2, Published Mar. 2009, 21 pages.
Notice of Allowance for U.S. Appl. No. 14/033,076 dated Mar. 11, 2016.
Notice of Allowance for U.S. Appl. No. 14/223,918 dated Jan. 6, 2016.
Notice of Allowance for U.S. Appl. No. 14/280,490 dated Nov. 26, 2014.
Notice of Allowance for U.S. Appl. No. 14/473,860 dated Feb. 27, 2015.
Notice of Allowance for U.S. Appl. No. 14/473,860 dated Jan. 5, 2015.
Notice of Allowance for U.S. Appl. No. 14/479,863 dated Mar. 31, 2015.
Notice of Allowance for U.S. Appl. No. 14/823,935 dated Apr. 25, 2016.
Notice of Allowance for U.S. Appl. No. 14/970,317 dated May 26, 2016.
Notice of Allowance for U.S. Appl. No. 14/982,699 dated Oct. 7, 2016.
Notice of Allowance for U.S. Appl. No. 15/207,343 dated Apr. 3, 2018.
Notice of Allowance for U.S. Appl. No. 15/224,443 dated Dec. 19, 2016.
Notice of Allowance for U.S. Appl. No. 15/228,297 dated Nov. 24, 2017.
Notice of Allowance for U.S. Appl. No. 15/462,540 dated May 10, 2018.
Official Communication for European Patent Application No. 14199180.2 dated Aug. 31, 2015.
Official Communication for European Patent Application No. 14199180.2 dated Jun. 22, 2015.
Official Communication for European Patent Application No. 15175106.2 dated Nov. 5, 2015.
Official Communication for European Patent Application No. 15180985.2 dated Jan. 15, 2016.
Official Communication for European Patent Application No. 15180985.2 dated Mar. 30, 2017.
Official Communication for European Patent Application No. 16176273.7 dated Oct. 21, 2016.
Official Communication for European Patent Application No. 16184823.9 dated May 23, 2018.
Official Communication for European Patent Application No. 16184823.9 dated Nov. 24, 2016.
Official Communication for European Patent Application No. 17155145.0 dated Aug. 31, 2017.
Official Communication for European Patent Application No. 18161005.6 dated Apr. 11, 2018.
Official Communication for U.S. Appl. No. 14/033,076 dated Aug. 13, 2015.
Official Communication for U.S. Appl. No. 14/033,076 dated Nov. 6, 2015.
Official Communication for U.S. Appl. No. 14/223,918 dated Jun. 8, 2015.
Official Communication for U.S. Appl. No. 14/280,490 dated Jul. 24, 2014.
Official Communication for U.S. Appl. No. 14/473,860 dated Nov. 4, 2014.
Official Communication for U.S. Appl. No. 14/479,863 dated Dec. 26, 2014.
Official Communication for U.S. Appl. No. 14/490,612 dated Aug. 18, 2015.
Official Communication for U.S. Appl. No. 14/490,612 dated Jan. 27, 2015.
Official Communication for U.S. Appl. No. 14/490,612 dated Mar. 31, 2015.
Official Communication for U.S. Appl. No. 14/731,312 dated Apr. 14, 2016.
Official Communication for U.S. Appl. No. 14/816,748 dated Apr. 1, 2016.
Official Communication for U.S. Appl. No. 14/816,748 dated May 24, 2016.
Official Communication for U.S. Appl. No. 14/823,935 dated Dec. 4, 2015.
Official Communication for U.S. Appl. No. 14/923,712 dated Feb. 12, 2016.
Official Communication for U.S. Appl. No. 14/923,712 dated Jun. 17, 2016.
Official Communication for U.S. Appl. No. 14/970,317 dated Mar. 21, 2016.
Official Communication for U.S. Appl. No. 14/982,699 dated Aug. 26, 2016.
Official Communication for U.S. Appl. No. 14/982,699 dated Mar. 25, 2016.
Official Communication for U.S. Appl. No. 15/071,064 dated Jun. 16, 2016.
Official Communication for U.S. Appl. No. 15/207,343 dated May 17, 2017.
Official Communication for U.S. Appl. No. 15/207,343 dated Nov. 23, 2016.
Official Communication for U.S. Appl. No. 15/207,343 dated Sep. 27, 2017.
Official Communication for U.S. Appl. No. 15/228,297 dated Jun. 30, 2017.
Official Communication for U.S. Appl. No. 15/462,540 dated Jul. 5, 2017.
Official Communication for U.S. Appl. No. 15/462,540 dated Oct. 13, 2017.
Official Communication for U.S. Appl. No. 15/838,658 dated Mar. 8, 2018.
Schneier et al., "Automatic Event Stream Notarization Using Digital Signatures," Security Protocols, International Workshop Apr. 1996 Proceedings, Springer-Veriag, 1997, pp. 155-169, https://schneier.com/paper-event-stream.pdf.
Schneier et al., "Cryptographic Support for Secure Logs on Untrusted Machines," The Seventh USENIX Security Symposium Proceedings, USENIX Press, Jan. 1998, pp. 53-62, https://www.schneier.com/paper-secure-logs.pdf.
VirusTotal-About, <http://www.virustotal.com/en/about/> Printed Jun. 30, 2014 in 8 pages.
VirusTotal—About, <http://www.virustotal.com/en/about/> Printed Jun. 30, 2014 in 8 pages.
Waters et al., "Building an Encrypted and Searchable Audit Log," Published Jan. 9, 2004, 11 pages, http://www.parc.com/content/attachments/building_encrypted_searchable_5059_parc.pdf.
Zheng et al., "GOEAST: a web-based software toolkit for Gene Ontology enrichment analysis," Nucleic acids research 36.suppl 2 (2008): pp. W385-W363.

Cited By (12)

* Cited by examiner, † Cited by third party
Publication numberPriority datePublication dateAssigneeTitle
US10609046B2 (en)2014-08-132020-03-31Palantir Technologies Inc.Unwanted tunneling alert system
US10735448B2 (en)2015-06-262020-08-04Palantir Technologies Inc.Network anomaly detection
US11470102B2 (en)2015-08-192022-10-11Palantir Technologies Inc.Anomalous network monitoring, user behavior detection and database system
US11397723B2 (en)2015-09-092022-07-26Palantir Technologies Inc.Data integrity checks
US11940985B2 (en)2015-09-092024-03-26Palantir Technologies Inc.Data integrity checks
US11212306B2 (en)*2016-09-062021-12-28Accenture Global Solutions LimitedGraph database analysis for network anomaly detection systems
US11418529B2 (en)2018-12-202022-08-16Palantir Technologies Inc.Detection of vulnerabilities in a computer network
US11882145B2 (en)2018-12-202024-01-23Palantir Technologies Inc.Detection of vulnerabilities in a computer network
US11128649B1 (en)2019-03-062021-09-21Trend Micro IncorporatedSystems and methods for detecting and responding to anomalous messaging and compromised accounts
US11165817B2 (en)*2019-10-242021-11-02Arbor Networks, Inc.Mitigation of network denial of service attacks using IP location services
US20220385684A1 (en)*2021-06-012022-12-01Cytwist Ltd.Artificial intelligence cyber identity classification
CN117675506A (en)*2023-10-162024-03-08北京智慧城市网络有限公司Intelligent network operation and maintenance management method and system based on user behavior analysis

Also Published As

Publication numberPublication date
US11470102B2 (en)2022-10-11
US20190081971A1 (en)2019-03-14
EP3133522B1 (en)2021-03-24
US20170111381A1 (en)2017-04-20
EP3832507A1 (en)2021-06-09
EP3133522A1 (en)2017-02-22
US9537880B1 (en)2017-01-03

Similar Documents

PublicationPublication DateTitle
US11470102B2 (en)Anomalous network monitoring, user behavior detection and database system
JP7539408B2 (en) Detecting Cloud User Behavior Anomalies Regarding Outlier Actions
JP7595723B2 (en) Deploy dynamic policies to detect threats and provide access visibility
CN113949557B (en)Method, system, and medium for monitoring privileged users and detecting abnormal activity in a computing environment
CN108702367B (en) Computer-implemented method, system, and readable medium for security management
US8978114B1 (en)Recommendation engine for unified identity management across internal and shared computing applications
CN113396411B (en) System and method for enhanced host classification
US20180337937A1 (en)Feature-Agnostic Behavior Profile Based Anomaly Detection
US20240223578A1 (en)Automated incident response tracking and enhanced framework for cyber threat analysis
US20250284837A1 (en)Electronic device for managing access to an application and method thereof
US12206687B2 (en)Automated incident response tracking and enhanced framework for cyber threat analysis
US20240357021A1 (en)Securing sensitive data during web sessions
HaberPrivilege Monitoring
HK1260681A1 (en)Techniques for discovering and managing security of applications

Legal Events

DateCodeTitleDescription
STCFInformation on status: patent grant

Free format text:PATENTED CASE

CCCertificate of correction
ASAssignment

Owner name:MORGAN STANLEY SENIOR FUNDING, INC., AS ADMINISTRATIVE AGENT, NEW YORK

Free format text:SECURITY INTEREST;ASSIGNOR:PALANTIR TECHNOLOGIES INC.;REEL/FRAME:051713/0149

Effective date:20200127

Owner name:ROYAL BANK OF CANADA, AS ADMINISTRATIVE AGENT, CANADA

Free format text:SECURITY INTEREST;ASSIGNOR:PALANTIR TECHNOLOGIES INC.;REEL/FRAME:051709/0471

Effective date:20200127

ASAssignment

Owner name:PALANTIR TECHNOLOGIES INC., CALIFORNIA

Free format text:RELEASE BY SECURED PARTY;ASSIGNOR:ROYAL BANK OF CANADA;REEL/FRAME:052856/0382

Effective date:20200604

Owner name:MORGAN STANLEY SENIOR FUNDING, INC., NEW YORK

Free format text:SECURITY INTEREST;ASSIGNOR:PALANTIR TECHNOLOGIES INC.;REEL/FRAME:052856/0817

Effective date:20200604

ASAssignment

Owner name:PALANTIR TECHNOLOGIES INC., CALIFORNIA

Free format text:CORRECTIVE ASSIGNMENT TO CORRECT THE ERRONEOUSLY LISTED PATENT BY REMOVING APPLICATION NO. 16/832267 FROM THE RELEASE OF SECURITY INTEREST PREVIOUSLY RECORDED ON REEL 052856 FRAME 0382. ASSIGNOR(S) HEREBY CONFIRMS THE RELEASE OF SECURITY INTEREST;ASSIGNOR:ROYAL BANK OF CANADA;REEL/FRAME:057335/0753

Effective date:20200604

MAFPMaintenance fee payment

Free format text:PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment:4

ASAssignment

Owner name:WELLS FARGO BANK, N.A., NORTH CAROLINA

Free format text:ASSIGNMENT OF INTELLECTUAL PROPERTY SECURITY AGREEMENTS;ASSIGNOR:MORGAN STANLEY SENIOR FUNDING, INC.;REEL/FRAME:060572/0640

Effective date:20220701

Owner name:WELLS FARGO BANK, N.A., NORTH CAROLINA

Free format text:SECURITY INTEREST;ASSIGNOR:PALANTIR TECHNOLOGIES INC.;REEL/FRAME:060572/0506

Effective date:20220701

ASAssignment

Owner name:PALANTIR TECHNOLOGIES INC., COLORADO

Free format text:ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:JONES, SAMUEL;YOUSAF, TIMOTHY;DENNISON, DREW;AND OTHERS;SIGNING DATES FROM 20150125 TO 20160223;REEL/FRAME:064912/0219
[8]ページ先頭
©2009-2025 Movatter.jp